System Security Assurance: A Systematic Literature Review

Security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediateand enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of securityassurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding informationprotection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challengesdue to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used forsecurity evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts havebeen made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physicalsystems (CPS) in a wide range of domains. We systematically review the requirements, processes, and activities involved in systemsecurity assurance including security requirements, security metrics, system and environments and assurance methods. We shed lighton the challenges and gaps that have been identified by the existing literature related to system security assurance and correspondingsolutions. Finally, we discussed the limitations of the present methods and future research directions.