A Systematic Mapping Study on Security Requirements Engineering Frameworks for Cyber-Physical Systems

摘要

Since the world is moving towards secure systems which makes security a primary concern and not an afterthought in software development. Secure software development involves security at each step of development lifecycle from requirements phase to testing. With surging focus on security requirements, we can see an increase in frameworks/methods/techniques proposed to deal with security requirements for variable applications. However, to summarise the literature findings till date and to propose further ways to handle security requirements a systematic and comprehensive review is needed. Our objective is to conduct a systematic mapping study for cyber-physical systems: (ⅰ) to explore and analyse security requirements engineering frameworks/ methods/techniques proposed till date, (ⅱ) to investigate on their strengths and weaknesses, and (ⅲ) to determine the security threats and requirements reported in literature. We conducted a systematic mapping study for which we defined our goals and determined research questions, denned inclusion/exclusion criteria, and designed the map systematically based on the research questions. The search yielded 337 articles after deploying the query on multiple databases and refining the search iteratively through a multistep process. The mapping study identified and categorised the existing security requirements engineering frameworks/methods/techniques focused on their implementation and evaluation mechanisms. Second, we identified and categorised the proposed to deal with security requirements for multiple domains, determined their strengths/weaknesses, and also security requirements and threats reports in the selected studies. The study provides an overall view of the state-of-the-art frameworks/methods/techniques proposed till date to deal with security requirements. The results of this study provide insights to researchers to focus more on developing frameworks to deal with security requirements for particular kinds of systems like cyber-physical systems. Also, it motivates future work to devise methods to cater domain specific security risks and requirements.