Fig 5 - uploaded by Vladimir Sklyar
Content may be subject to copyright.
Source publication
Assurance (Security and Safety) Case is an approach to prove critical systems and software compliance with security and safety requirements. We propose an advanced framework named as Assurance Case Driven Design (AC DD) to improve cost-effectiveness of certification and licensing processes. AC DD is based on Claim-Argument-Evidence-Criteria (CAEC)...
Context in source publication
Citations
... One of the prospective areas of BA application is different business domain studies, such as banking, e-commerce, e-learning, telemedicine, smart manifesting, etc. As an example, we can mention the safety and security domain [10], when the BA approach supports exercises directed to safety and security assessment and assurance [11]. ...
This paper aims to develop a practical learning framework with the implementation of business analysis methods in ICT education. General issues of business analysis applicable in ICT education are analyzed. The BABOK Guide describes knowledge areas for business analysis, as well as tasks and main competencies, techniques, and perspectives concerning business analysis. Reasons for business analysis learning include its support with the case method and project-based learning including the development of students' hard and soft skills. We prioritize business analysis and exercises and activities applicable to ICT education. Taxonomy of learning effectiveness indicators related to business analysis is developed together with a business analysis learning framework.
... The most common strategy depends on the output of a threat, vulnerability, asset or risk analysis (8 papers) (Cockram and Lautieri 2007;Coffey et al. 2014;Cyra and Gorski 2007;Mohammadi et al. 2018;Patu and Yamamoto 2013a;Vivas et al. 2011;Xu et al. 2017;Weinstock et al. 2007). Other popular strategies are breaking down the claims based on the requirements or more specifically quality requirements and even more specifically security requirements (5 papers) (Agudo et al. 2009;Calinescu et al. 2017;Haley et al. 2005;Netkachova et al. 2015;Sklyar and Kharchenko 2017b), and arguing based on security properties, e.g., confidentiality, integrity and availability (5 papers ...
... )(Chindamaikul et al. 2014;Finnegan and McCaffery 2014a;Mohammadi et al. 2018;Poreddy and Corns 2011;Sklyar and Kharchenko 2017b). Additionally, researchers also used system and security goals (4 papers)(Agudo et al. 2009;Ben Othmane et al. 2014;Mohammadi et al. 2018;Tippenhauer et al. 2014), software components or features (3 papers)(Agudo et al. 2009;Hawkins et al. 2015;Sklyar and Kharchenko 2017b), security standards and principles (2 papers)(Ankrum and Kromholz 2005;Sljivo and Gallina 2016), pre-defined argumentation model (1 paper)(Górski et al. 2012), and development life-cycle phases (1 paper)(Ray and Cleaveland 2015). ...
... )(Chindamaikul et al. 2014;Finnegan and McCaffery 2014a;Mohammadi et al. 2018;Poreddy and Corns 2011;Sklyar and Kharchenko 2017b). Additionally, researchers also used system and security goals (4 papers)(Agudo et al. 2009;Ben Othmane et al. 2014;Mohammadi et al. 2018;Tippenhauer et al. 2014), software components or features (3 papers)(Agudo et al. 2009;Hawkins et al. 2015;Sklyar and Kharchenko 2017b), security standards and principles (2 papers)(Ankrum and Kromholz 2005;Sljivo and Gallina 2016), pre-defined argumentation model (1 paper)(Górski et al. 2012), and development life-cycle phases (1 paper)(Ray and Cleaveland 2015). ...
Security Assurance Cases (SAC) are a form of structured argumentation used to reason about the security properties of a system. After the successful adoption of assurance cases for safety, SAC are getting significant traction in recent years, especially in safety-critical industries (e.g., automotive), where there is an increasing pressure to be compliant with several security standards and regulations. Accordingly, research in the field of SAC has flourished in the past decade, with different approaches being investigated. In an effort to systematize this active field of research, we conducted a systematic literature review (SLR) of the existing academic studies on SAC. Our review resulted in an in-depth analysis and comparison of 51 papers. Our results indicate that, while there are numerous papers discussing the importance of SAC and their usage scenarios, the literature is still immature with respect to concrete support for practitioners on how to build and maintain a SAC. More importantly, even though some methodologies are available, their validation and tool support is still lacking.
... The discussed QTS includes the following parts [8]: -The chassis that performs the functions of module disposal, providing power and communications to the modules, and also connecting the signal cables through a backplane. The TS includes a PLC that is able to generate input signals for the QTS and process output signals for the QTS like "mirror" (TS outputs -QTS inputs and TS inputs -QTS outputs). ...
... The proposed EQ Testing Framework has been successfully used in industrial projects related with licensing and certification in nuclear domain [7,8]. ...
Computer control systems (CCS) are an important for operation and maintenance of safety- critical infrastructures. A challenge in such systems implementation is certification and licensing against national and international regulatory requirements. Environmental tests are applied to check that equipment of the CCS can withstand the rigors of harsh environments, for example high and low temperature and humidity, water drops and dust, seismic vibration and acceleration, electromagnetic interference, radiation, etc. It can happen that environmental tests emphasis is methods, level and types of environmental impacts, but there is a question about functions which shall perform a system under test before, during and after test impact application. Equipment Qualification Testing Framework is proposed. The requirements to system operation under test is described in view of a model. Model Driven Development methodology is applied for design and Model-based Testing methodology is applied for verification
... A modern approach to E-learning implementation is consists in development of massive open online courses (MOOCs). Despite numerous well known advantages and disadvantages of E-learning we put emphasis on the challenges and opportunities related with application of this relatively new education technology, such as: individual approaches to students with opportunities to build individual learning trajectories based in student-oriented approach [1]; application of Learning Management System (LMS) as centralized environment for administration, documentation, tracking, reporting, and delivery of learning courses [2]; needs in essential scope of relevant studies and data, that would provide a strong background for empirical based analysis [3]; choice of relevant indicators to make qualitative and quantitative assessment of E-learning [4]; high degree of importance of students' homework which can be organized in both individual and collaborative manner [5]; needs in choice of effective teaching methods depending on features of courses and sciences; in the paper we discuss the case method [6] as well as the project-based learning [7] applied for the course devoted to safety and security of control systems [8]. ...
... The main task of the project is to develop a document covering the analysis and assessment of safety and security related with the lecture material. This document is called the Assurance Case in accordance with the actual practice of safety and security assessment [8]. The development of the Assurance Case is now used in the practice of assessment and certification against safety and security re-quirements. ...
The objective of this paper is to develop a practical E-learning
framework with implementation of case method and project-based learning. In
paper we obtain the following results. Content of the massive open online
course (MOOC) “Safety and Security of Control Systems” is analyzed. This
MOOC was introduced in 2017 for master students program “Cybersecurity” at
National Aerospace University “KhAI” (Kharkiv, Ukraine). A core part of this
MOOC is a project devoted to safety and security assessment of real systems
and software. Taxonomy for indicators of E-learning effectiveness is proposed.
Case study was done in Ukraine between students of Cybersecurity program after finish of study of the MOOC “Safety and Security of Control Systems”. A
sample includes 40 master students involved in the course learning during
2017-2019. Case study results confirmed a set of hypotheses related with Elearning effectiveness when case method and project-based learning are implemented.
... One of the challenges in safety critical systems application is its certification and licensing [2,3]. NPP PAMS is a Category A systems in accordance with nuclear safety requirements [4], what means the highest level of safety and security. NPP PAMS based on UAVs (UAV PAMS) is a new for NPP, so UAV features have to be taken into account with respect to nuclear issues. ...
... The requirements groups contain related requirements and support one or other of the global goals. For example, the requirements for safety and security management in IEC 61508 [2] include requirements to human resource management, configuration management, documentation management, and others [4]. ...
... The transition from the Level 1 to the Level 2 groups of requirements contains an analysis of existing requirements to safety & security management and assessment. Such analysis has been performed in [4], and the structure of the Safety and Security Management Plan (SSMP) has been obtained as a result. The SSMP reflects integrated requirement to safety and security. ...
... While SACs are usually used to establish evidence-based security assurance for a given system, researchers have reported cases where SAC could be used to achieve dif- Ankrum et al. [5] External forces Comply with standards and regulation Calinescu et al. [12] External forces Comply with security requirements of safety-critical systems Cyra et al. [18] External forces Comply with standards and regulation Finnegan et al. [20] External forces Comply with regulation and maintain confidence in the product in question Finnegan et al. (2) [21] External forces Comply with regulation He et al. [35] External forces Reason about cybersecurity policies and procedures Mohammadi et al. [47] External forces Learn from the safety domain where it is a proven approach Ray et al. [56] External forces Comply with regulation and internal needs from cyber-physical systems' manufacturers Sklyar et al. (2) [63,65,64] External forces Comply with standards Sljivo et al. [66] External forces Comply with standards and regulation Strielkina et al. [69] External forces Comply with security regulation Goodger et al. [28] Knowledge transfer Learn from the safety domain to integrate oversight for safety and security Ionita et al. [38] Knowledge transfer Learn from the safety domain where it is a proven approach Netkachova et al. (2) [49] Knowledge transfer Learn from the safety domain where it is a proven approach Poreddy et al. [55] Knowledge transfer Learn from the safety domain, where it is a proven approach Sklyar et al. [62] Knowledge transfer Learn from the safety domain, where it is a proven in-use approach Ben Othmane et al. [7] Process improvement Trace security requirements and assure security during iterative development. Ben Othmane et al. [8] Process improvement Assure security during iterative development Cheah et al. [14] Process improvement Cope with the increasing connectivity of systems Cockram et al. [16] Process improvement Reduces both technical and program risks through process improvement Gallo et al. [26] Process improvement Factor analytical and implementation work per component, requisite, technology, or life-cycle Lipson et al. [42] Process improvement Help analyzing complex systems Netkachova et al. [50] Process improvement Tackle security issues which have intensified challenges of engineering safety-critical systems. ...
... -Integrating SAC in the development life-cycle: These approaches suggest mapping the SAC creation activities to the development activities to integrate SACs in the development and security processes [3,8,56,74], as well as assurance case driven design [62,63,65,64]. -Using different types of AC for security: These approaches suggest using different types of assurance cases other than SAC for security assurance. ...
... Lipson and Weinstock [42] describe how to understand, gather, and generate multiple kinds of evidence that can contribute to building SAC. The most common types of evidence reported in literature are testing results (12 papers) [7,12,14,15,42,55,60,62,63,65,64,66], and different types of analysis. These analysis include threat and vulnerability [16,20,21,53], code and bug [15,7,62,63,65,64], security standards and policies [3,51], risk [47], and log analysis [47,53]. ...
Security Assurance Cases (SAC) are a form of structured argumentation used to reason about the security properties of a system. After the successful adoption of assurance cases for safety, SACs are getting significant traction in recent years, especially in safety-critical industries (e.g., automotive), where there is an increasing pressure to be compliant with several security standards and regulations. Accordingly, research in the field of SAC has flourished in the past decade, with different approaches being investigated. In an effort to systematize this active field of research, we conducted a systematic literature review (SLR) of the existing academic studies on SAC. Our review resulted in an in-depth analysis and comparison of 51 papers. Our results indicate that, while there are numerous papers discussing the importance of security assurance cases and their usage scenarios, the literature is still immature with respect to concrete support for practitioners on how to build and maintain a SAC. More importantly, even though some methodologies are available, their validation and tool support is still lacking.
... Also, a cross-domain ISO/IEC standard dedicated to assurance cases was published [5]. Moreover, for several other standards or guidelines, which do not explicitly encourage nor mention using an assurance case, it was shown that development of such argument can help to demonstrate conformance to standard's requirements -examples include ISO 61508 [6] [7], ISO 15408 [8] or safety and quality management of healthcare services [9] [10]. Despite the presence of several graphical notations dedicated to assurance case representation, all of them are based on the underlying argument model by Toulmin [11]. ...
An assurance case is a structured, evidence-based argument demonstrating that a safety or other quality objective of a high integrity system is assured. Assurance cases are required or recommended in many industry domains as a means to convince the regulatory bodies to allow commissioning of such system. To be convincing, an argument should address all potential doubts and thus cover numerous additional issues, including the processes that led to development of the considered system. It is however not obvious, which elements of processes (and which characteristics of them) should be documented and how to include them in the argument without making it too large and complex. In this paper we provide description structures for essential process elements. The structures were developed on the basis of literature search and reviews of publicly available assurance cases. We also show how to include such information within the overall assurance case in a way that reduces the complexity and allows to distinguish process-related elements from the primary argument.
... Advanced Hotel Management Framework (AHMF) [15] contains three the following main parts: strategic planning, operation and maintenance, as well as infrastructure management and assets management. More issues related with safety and security assurance in critical areas, including hospitality industry, can be found in [16,17]. ...
The paper contains results obtained in area of big data analysis for hotel revenue management. Authors challenge the area of hotel management since they have and still improve skills in this area. The paper presents the new results obtained for previously developed Advanced Hotel Management Framework. We use comparatively the new tool "Booking.com Analytics" developed by the company Booking.com B.V. in 2016 for hotels involved in a global partnership program. We learned available features and data from the "Booking.com Analytics". The performed case study is associated with a mini-hotel situated in Cambodia. We studied data related with booking percentage depending from tourists' countries of origin, book window percentage, cancela-tion of reservation percentage, guests' review rating, as well as special genius guests' program percentage. After that we tried to find statistical dependencies between a managed value of room daily rate and available big data. In conclusion , the obtained results are discussed.
... AHMF structure is based on the author relevant experience. This big picture can also be used as casebased approach [9,10] for a hotel effectiveness assurance and assessment. Also we analyze issue related with implementation of Information Technologies (IT) and particularly Internet of Things (IoT) in hotel industry [6,11]. ...
... AHMF is a business case description based on Mind Map representation, what provides a useful basis for business effectiveness assessment and assurance. Detailed AHMF business case can be represented in a table view in accordance with Claim -Arguments -Evidence structure [10]. Such hotel management case description is a good communication for all the hotel stakeholders. ...
The paper contains novel results obtained in area of cost effective hotel management based on qualitative analysis of Key Performance Indicators (KPIs). Five RAMS attributes (reliability, availability, maintainability, safety and security) and associated KPIs are considered as business critical. We also propose the new obtained Advanced Hotel Management Framework (AHMF) for case based business effectiveness assessment and assurance, as well as a taxonomy of KPIs for hotel management. Maintenance strategy for improvement of availability of a room is suggested.
... Application of Assurance Case for IoT domain based on func-tional safety requirements is considered in [16]. Safety and security requirements are harmonized in [17] to support application of AC DD. ...
