Using an Assurance Case Framework to Develop Security Strategy and Policies
Assurance cases have been developed to reason and communicate about the trustworthiness of systems. Recently we have also been using them to support the development of policy and to assess the impact of security issues on safety regulation. In the example we present in this paper, we worked with a safety regulator (anonymised as A Regulatory Organisation (ARO) in this paper) to investigate the impact of cyber-security on safety regulation.
KeywordsSecurity-informed safety Assurance cases Regulation Risk assessment
This work has been partially supported by the UK EPSRC project “Communicating and Evaluating Cyber Risk and Dependencies” (CEDRICS, EP/M002802/1), which is part of the UK Research Institute in Trustworthy Industrial Control Systems (RiTICS).
- 1.Adelard Safety Case Development Manual: © Adelard (1998). ISBN 0 9533771 0 5Google Scholar
- 3.Bloomfield, R.E., Netkachova, K.: Building blocks for assurance cases. In: IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) 2014, pp. 186–191 (2014). doi: 10.1109/ISSREW.2014.72
- 4.Bloomfield, R.E., Bendele, M., Bishop, P., Stroud, R., Tonks, S.: The risk assessment of ERTMS-based railway systems from a cyber security perspective: methodology and lessons learned. In: Lecomte, T., Pinger, R., Romanovsky, A. (eds.) RSSRail 2016. LNCS, vol. 9707, pp. 3–19. Springer, Cham (2016). doi: 10.1007/978-3-319-33951-1_1 Google Scholar
- 6.Bloomfield, R.E., Wetherilt, A.: Computer trading and systemic risk: a nuclear per-spective. Foresight study, The Future of Computer Trading in Financial Markets, Driver Review DR26. Government Office for Science (2012)Google Scholar
- 7.The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, November 2011Google Scholar
- 8.Cyber Security Capability Maturity Model (CMM) – Pilot: Global Cyber Security Capacity Centre University of Oxford (2014). http://www.oxfordmartin.ox.ac.uk
- 9.US Department of Energy (DOE) Cyber-security Capability Maturity Model (BuildSecurityIn) Department of Homeland Security (2016). https://cwe.mitre.org/top25/