Shafiq ur Rehman: Security requirements engineering: a framework for cyber-physical systems

In present day software development industry, cyber-physical systems are gaining much attention from researchers and practitioners due to their high impact on the world’s economy. These systems are considered as hallmarks of the modern age of computing power integrated with physical systems. With the rising use and importance of cyber-physical systems, organizations have come to terms with the importance of security in these systems. Therefore, security requirements are a significant part of cyber-physical systems, but there is a lack of processes to develop secure systems. Several security requirements frameworks have been proposed but the benefits of these frameworks are limited to the realm of software. The most significant contribution of this thesis is to propose, apply and assess a security requirements engineering framework for cyber-physical systems that overcomes the issue of security requirements elicitation for cyber-physical systems. The proposed cyber-physical systems framework offers complete guidelines for practitioners and researchers to determine security requirements. A security requirements engineering Tool to facilitate application of our proposed framework has also been developed. The proposed framework has been evaluated by way of two case studies conducted on real-world cyber-physical systems implementations, which show promising results. Furthermore, this work also compares the activities mandated by our security requirements engineering framework with those of existing software security frameworks. The results of this thesis can be used as a basis for further research in security requirements engineering of cyber-physical systems. Organizations that apply the proposed framework derived from the results of this research will be better positioned to explore security requirements in the early phases of system development and be assured of an uncompromised system of security.