A SECURITY ASSURANCE CASE FOR IoT SYSTEMS USING GOAL STRUCTURE NOTATION

Abstract

IoT-focused cyberattacks had the largest attack surface, despite having a vast environment. Key security requirements (SR) for IoT include data confidentiality, data integrity, authentication, access control, privacy, etc. On the Internet of Things, confidentiality is a crucial security service and the most frequently targeted. Inadequate emphasis on assessment of IoT (SR) leads to attacks and threats. However, the absence of security requirement assessment in IoT systems architecture jeopardizes security, exposing the system to vulnerabilities, risking organizational assets and reputation, while also escalating the cost and time required to address security issues. An assurance case is developed for identification of security requirements assessment based on compliance standards. To communicate, align IoT security measures, and to identify, analyze, and address potential assets, security threats, and attacks systematically.  In this research, a novel and illustrative example of assurance case is provided for the confidentiality security requirement of IoT system, to shed light on possible attacks and threats relevant to IoT assets. This process will help leverage a practical and clear basis for justifiable development of assurance case for IoT security requirement earlier and integration with RE activities. This structured approach will be vital across methodologies like Agile, Waterfall, and SSDL, ensuring compliance with security standards and offering a comprehensive solution to key challenges in IoT security.