{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T10:19:51Z","timestamp":1779099591766,"version":"3.51.4"},"reference-count":81,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2024,7,4]],"date-time":"2024-07-04T00:00:00Z","timestamp":1720051200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,7,4]],"date-time":"2024-07-04T00:00:00Z","timestamp":1720051200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100007691","name":"Universidade da Beira Interior","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100007691","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2024,8]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The adoption and popularity of mobile devices by end-users is partially driven by the increasing development and availability of mobile applications that can aid solving different problems and provide access to services in a wide range of domains or categories, namely healthcare, education, e-commerce or entertainment. While these applications use and benefit from the combination of a wide panoply of technologies from the Internet of Things, fog and cloud computing, data security and privacy are typically not fully taken into account before the creation of many mobile applications or during the software development phases. This paper presents an in-depth approach to modeling attacks on the specific <jats:italic>cloud and mobile ecosystem<\/jats:italic>, given its importance in the process of secure application development. Moreover, aiming at bridging the knowledge gap between developers and security experts, this paper presents an alpha version of the security by design for cloud and mobile ecosystem (<jats:sc>secD4CloudMobile<\/jats:sc>) framework. <jats:sc>secD4CloudMobile<\/jats:sc> is a set of tools that covers <jats:italic>cloud and mobile security requirement elicitation<\/jats:italic> (CMSRE), <jats:italic>cloud and mobile security best practices guidelines<\/jats:italic> (CMSBPG), <jats:italic>cloud mobile attack modeling elicitation<\/jats:italic> (CMAME), and <jats:italic>cloud mobile security test specification and tools<\/jats:italic> (CM2ST). The purpose of the framework is to provide cloud and mobile application developers useful readily applicable information and guidelines, striving to bring security engineering and software engineering closer, in a more accessible and automated manner, aiming at the incorporation of security by construction. Finally, the paper presents some preliminary results and discussion.\n<\/jats:p>","DOI":"10.1007\/s10207-024-00880-6","type":"journal-article","created":{"date-parts":[[2024,7,4]],"date-time":"2024-07-04T08:14:55Z","timestamp":1720080895000},"page":"3043-3064","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Expediting the design and development of secure cloud-based mobile apps"],"prefix":"10.1007","volume":"23","author":[{"given":"Francisco T.","family":"Chimuco","sequence":"first","affiliation":[]},{"given":"Jo\u0101o B. F.","family":"Sequeiros","sequence":"additional","affiliation":[]},{"given":"Tiago M. C.","family":"Sim\u014des","sequence":"additional","affiliation":[]},{"given":"M\u00e1rio M.","family":"Freire","sequence":"additional","affiliation":[]},{"given":"Pedro R. M.","family":"In\u00e1cio","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,7,4]]},"reference":[{"key":"880_CR1","doi-asserted-by":"publisher","unstructured":"Abbas, S.G., et\u00a0al.: A threat modelling approach to analyze and mitigate botnet attacks in smart home use case. In: 2020 IEEE 14th International Conference on Big Data Science and Engineering (BigDataSE), pp. 122\u2013129. IEEE, Guangzhou, China (2020). https:\/\/doi.org\/10.1109\/BigDataSE50710.2020.00024","DOI":"10.1109\/BigDataSE50710.2020.00024"},{"key":"880_CR2","doi-asserted-by":"publisher","unstructured":"Al-Omary, A.: A secure framework for mobile cloud computing. In: 2019 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT), pp. 1\u20136. IEEE, Sakhier, Bahrain (2019). https:\/\/doi.org\/10.1109\/3ICT.2019.8910294","DOI":"10.1109\/3ICT.2019.8910294"},{"key":"880_CR3","doi-asserted-by":"crossref","unstructured":"Alberts, C.J., et\u00a0al.: Operationally critical threat, asset, and vulnerability evaluation (octave) framework, version 1.0. Tech. rep., CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST (1999)","DOI":"10.21236\/ADA367718"},{"key":"880_CR4","doi-asserted-by":"publisher","unstructured":"Almorsy, M., Grundy, J.: Secdsvl: A domain-specific visual language to support enterprise security modelling. In: 2014 23rd Australian Software Engineering Conference, pp. 152\u2013161. IEEE, Milsons Point, NSW, Australia (2014). https:\/\/doi.org\/10.1109\/ASWEC.2014.18","DOI":"10.1109\/ASWEC.2014.18"},{"issue":"5","key":"880_CR5","doi-asserted-by":"publisher","first-page":"649","DOI":"10.1007\/s12652-015-0308-5","volume":"7","author":"F AlShahwan","year":"2016","unstructured":"AlShahwan, F., Faisal, M., Ansa, G.: Security framework for restful mobile cloud computing web services. J. Ambient Intell. Humaniz. Comput. 7(5), 649\u2013659 (2016)","journal-title":"J. Ambient Intell. Humaniz. Comput."},{"issue":"7","key":"880_CR6","doi-asserted-by":"publisher","first-page":"953","DOI":"10.3923\/jas.2015.953.967","volume":"15","author":"A Amini","year":"2015","unstructured":"Amini, A., et al.: Threat modeling approaches for securing cloud computin. J. Appl. Sci. 15(7), 953\u2013967 (2015). https:\/\/doi.org\/10.3923\/jas.2015.953.967","journal-title":"J. Appl. Sci."},{"key":"880_CR7","doi-asserted-by":"publisher","unstructured":"Anand, P., et\u00a0al.: Threat assessment in the cloud environment: A quantitative approach for security pattern selection. In: Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication, IMCOM \u201916. Association for Computing Machinery, New York, NY, USA (2016). https:\/\/doi.org\/10.1145\/2857546.2857552","DOI":"10.1145\/2857546.2857552"},{"issue":"6","key":"880_CR8","doi-asserted-by":"publisher","first-page":"3676","DOI":"10.1109\/TEM.2020.3045661","volume":"69","author":"FM Awaysheh","year":"2022","unstructured":"Awaysheh, F.M., et al.: Security by design for big data frameworks over cloud computing. IEEE Trans. Eng. Manag. 69(6), 3676\u20133693 (2022). https:\/\/doi.org\/10.1109\/TEM.2020.3045661","journal-title":"IEEE Trans. Eng. Manag."},{"key":"880_CR9","unstructured":"BankMyCell: How many smartphones are in the world? (2021). https:\/\/www.bankmycell.com\/blog\/how-many-phones-are-in-the-world"},{"issue":"1","key":"880_CR10","doi-asserted-by":"publisher","first-page":"39","DOI":"10.1145\/1125808.1125810","volume":"15","author":"D Basin","year":"2006","unstructured":"Basin, D., et al.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39\u201391 (2006). https:\/\/doi.org\/10.1145\/1125808.1125810","journal-title":"ACM Trans. Softw. Eng. Methodol."},{"key":"880_CR11","doi-asserted-by":"publisher","unstructured":"Basin, D., et\u00a0al.: A decade of model-driven security. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT \u201911, pp. 1-10. Association for Computing Machinery, New York, NY, USA (2011). https:\/\/doi.org\/10.1145\/1998441.1998443","DOI":"10.1145\/1998441.1998443"},{"issue":"1","key":"880_CR12","first-page":"47","volume":"2","author":"R Breu","year":"2007","unstructured":"Breu, R., Hafner, M.: Model-driven security engineering for trust management in sectet. J. Softw. 2(1), 47\u201359 (2007)","journal-title":"J. Softw."},{"key":"880_CR13","doi-asserted-by":"publisher","unstructured":"Byers, D., et\u00a0al.: Modeling software vulnerabilities with vulnerability cause graphs. In: 2006 22nd IEEE International Conference on Software Maintenance, pp. 411\u2013422. IEEE, Philadelphia, PA, USA (2006). https:\/\/doi.org\/10.1109\/ICSM.2006.40","DOI":"10.1109\/ICSM.2006.40"},{"key":"880_CR14","unstructured":"Ceci, L.: Most popular apple app store categories in june 2021, by share of available apps (2021). https:\/\/www.statista.com\/statistics\/270291\/popular-categories-in-the-app-store\/"},{"key":"880_CR15","doi-asserted-by":"publisher","unstructured":"Chen, H.Y., Rao, S.P.: On adoptability and use case exploration of threat modeling for mobile communication systems. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201921, pp. 2417\u20132419. Association for Computing Machinery, New York, NY, USA (2021). https:\/\/doi.org\/10.1145\/3460120.3485348","DOI":"10.1145\/3460120.3485348"},{"key":"880_CR16","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10207-023-00669-z","volume":"22","author":"FT Chimuco","year":"2023","unstructured":"Chimuco, F.T., et al.: Secure cloud-based mobile apps: attack taxonomy, requirements, mechanisms, tests and automation. Int. J. Inf. Secur. 22, 1\u201335 (2023)","journal-title":"Int. J. Inf. Secur."},{"key":"880_CR17","unstructured":"Chimuco, F.T., et\u00a0al.: Secure design and development of applications in the cloud and mobile ecosystem. In: INForum 2023 Atas do 13$$^\\circ $$ Simp\u00f3sio de Inform\u00e0tica. INForum: Simp\u00f3sio de Inform\u00e1tica, Porto, Portugal (2023)"},{"key":"880_CR18","doi-asserted-by":"publisher","unstructured":"Chu, M., et\u00a0al.: Visualizing attack graphs, reachability, and trust relationships with navigator. In: Proceedings of the Seventh International Symposium on Visualization for Cyber Security, VizSec \u201910, pp. 22\u201333. Association for Computing Machinery, New York, NY, USA (2010). https:\/\/doi.org\/10.1145\/1850795.1850798","DOI":"10.1145\/1850795.1850798"},{"key":"880_CR19","doi-asserted-by":"publisher","unstructured":"Dey, S., Sampalli, S., Ye, Q.: A context-adaptive security framework for mobile cloud computing. In: 2015 11th International Conference on Mobile Ad-hoc and Sensor Networks (MSN), pp. 89\u201395. IEEE, Shenzhen, China (2015). https:\/\/doi.org\/10.1109\/MSN.2015.28","DOI":"10.1109\/MSN.2015.28"},{"key":"880_CR20","doi-asserted-by":"publisher","unstructured":"Ekstedt, M., Johnson, P., Lagerstr\u00f6m, R., et\u00a0al.: Securi cad by foreseeti: A cad tool for enterprise cyber security management. In: 2015 IEEE 19th International Enterprise Distributed Object Computing Workshop, pp. 152\u2013155. IEEE, Adelaide, SA, Australia (2015). https:\/\/doi.org\/10.1109\/EDOCW.2015.40","DOI":"10.1109\/EDOCW.2015.40"},{"issue":"1","key":"880_CR21","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1109\/TCC.2018.2847347","volume":"9","author":"IA Elgendy","year":"2021","unstructured":"Elgendy, I.A., Zhang, W.Z., Liu, C.Y., Hsu, C.H.: An efficient and secured framework for mobile cloud computing. IEEE Trans. Cloud Comput. 9(1), 79\u201387 (2021). https:\/\/doi.org\/10.1109\/TCC.2018.2847347","journal-title":"IEEE Trans. Cloud Comput."},{"key":"880_CR22","unstructured":"FIRST: Common vulnerability scoring system version 3.1: Specification document (2001). https:\/\/www.first.org\/cvss\/specification-document"},{"key":"880_CR23","unstructured":"Franklin, J., et\u00a0al.: Guidelines for managing the security of mobile devices in the enterprise. Tech. rep., National Institute of Standards and Technology (2020). https:\/\/doi.org\/10.6028\/NIST.SP.800-124r2-draft. https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-124\/rev-2\/draft"},{"key":"880_CR24","doi-asserted-by":"publisher","unstructured":"Ghosh, N., et\u00a0al.: Netsecuritas: An integrated attack graph-based security assessment tool for enterprise networks. In: Proceedings of the 16th International Conference on Distributed Computing and Networking, ICDCN \u201915. Association for Computing Machinery, New York, NY, USA (2015). https:\/\/doi.org\/10.1145\/2684464.2684494.94","DOI":"10.1145\/2684464.2684494.94"},{"issue":"5","key":"880_CR25","doi-asserted-by":"publisher","first-page":"491","DOI":"10.1108\/10662240610710978","volume":"16","author":"M Hafner","year":"2006","unstructured":"Hafner, M., Breu, R., Agreiter, B., Nowak, A.: Sectet: an extensible framework for the realization of secure inter-organizational workflows. Internet Res. 16(5), 491\u2013506 (2006). https:\/\/doi.org\/10.1108\/10662240610710978","journal-title":"Internet Res."},{"issue":"4","key":"880_CR26","doi-asserted-by":"publisher","first-page":"561","DOI":"10.3233\/JCS-130475","volume":"21","author":"J Homer","year":"2013","unstructured":"Homer, J., Zhang, S., Ou, X., Schmidt, D., Du, Y., Rajagopalan, S.R., Singhal, A.: Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561\u2013597 (2013)","journal-title":"J. Comput. Secur."},{"key":"880_CR27","volume-title":"The Security Development Lifecycle","author":"M Howard","year":"2006","unstructured":"Howard, M., Lipner, S.: The Security Development Lifecycle, vol. 8. Microsoft Press Redmond, Redmond (2006)"},{"key":"880_CR28","doi-asserted-by":"publisher","unstructured":"Huang, D., Zhou, Z., Xu, L., Xing, T., Zhong, Y.: Secure data processing framework for mobile cloud computing. In: 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 614\u2013618. IEEE, Shanghai, China (2011). https:\/\/doi.org\/10.1109\/INFCOMW.2011.5928886","DOI":"10.1109\/INFCOMW.2011.5928886"},{"key":"880_CR29","unstructured":"Hubbard, J.: Guide to security operations (2020). https:\/\/www.sans.org\/security-resources\/posters\/guide-security-operations\/260\/download"},{"issue":"1","key":"880_CR30","doi-asserted-by":"publisher","first-page":"28","DOI":"10.1109\/MS.2008.25","volume":"25","author":"JA Ingalsbe","year":"2008","unstructured":"Ingalsbe, J.A., et al.: Threat modeling: diving into the deep end. IEEE Softw. 25(1), 28\u201334 (2008). https:\/\/doi.org\/10.1109\/MS.2008.25","journal-title":"IEEE Softw."},{"key":"880_CR31","doi-asserted-by":"publisher","unstructured":"Johnson, P., et\u00a0al.: A meta language for threat modeling and attack simulations. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES \u201918. Association for Computing Machinery, New York, NY, USA (2018). https:\/\/doi.org\/10.1145\/3230833.3232799","DOI":"10.1145\/3230833.3232799"},{"key":"880_CR32","volume-title":"Secure Systems Development with UML","author":"J J\u00fcrjens","year":"2005","unstructured":"J\u00fcrjens, J.: Secure Systems Development with UML. Springer Science & Business Media, Cham (2005)"},{"issue":"6","key":"880_CR33","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2674632.2674638","volume":"39","author":"N Kaur","year":"2014","unstructured":"Kaur, N., et al.: Mitigation of SQL injection attacks using threat modeling. SIGSOFT Softw. Eng. Notes 39(6), 1\u20136 (2014). https:\/\/doi.org\/10.1145\/2674632.2674638","journal-title":"SIGSOFT Softw. Eng. Notes"},{"key":"880_CR34","unstructured":"Kaur, N., et\u00a0al.: Modeling a sql injection attack. In: 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), pp. 77\u201382. IEEE, New Delhi, India (2016)"},{"key":"880_CR35","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1007\/978-3-642-19751-2_6","volume-title":"Formal Aspects of Security and Trust","author":"B Kordy","year":"2011","unstructured":"Kordy, B., Mauw, S., Radomirovi\u0107, S., Schweitzer, P.: Foundations of attack-defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) Formal Aspects of Security and Trust, pp. 80\u201395. Springer Berlin Heidelberg, Berlin, Heidelberg (2011)"},{"key":"880_CR36","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1016\/j.comcom.2015.07.005","volume":"68","author":"F Li","year":"2015","unstructured":"Li, F., et al.: Robust access control framework for mobile cloud computing network. Comput. Commun. 68, 61\u201372 (2015). https:\/\/doi.org\/10.1016\/j.comcom.2015.07.005","journal-title":"Comput. Commun."},{"key":"880_CR37","doi-asserted-by":"publisher","unstructured":"Lipner, S.: The trustworthy computing security development lifecycle. In: 20th Annual Computer Security Applications Conference, pp. 2\u201313. IEEE, Tucson, AZ, USA (2004). https:\/\/doi.org\/10.1109\/CSAC.2004.41","DOI":"10.1109\/CSAC.2004.41"},{"key":"880_CR38","volume-title":"Model-Driven Risk Analysis: The CORAS Approach","author":"MS Lund","year":"2010","unstructured":"Lund, M.S., et al.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Cham (2010)"},{"key":"880_CR39","doi-asserted-by":"publisher","unstructured":"Maheshwari, V., Prasanna, M.: Integrating risk assessment and threat modeling within sdlc process. In: 2016 International Conference on Inventive Computation Technologies (ICICT), vol. 1, pp. 1\u20135. IEEE, Coimbatore, India (2016). https:\/\/doi.org\/10.1109\/INVENTIVE.2016.7823275","DOI":"10.1109\/INVENTIVE.2016.7823275"},{"key":"880_CR40","unstructured":"Mannino, J., et\u00a0al.: Owasp top ten mobile risk (2016). https:\/\/owasp.org\/www-project-mobile-top-10\/. Accessed 04 Feb 2021"},{"issue":"2","key":"880_CR41","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1145\/3375408.3375410","volume":"38","author":"B Martin","year":"2019","unstructured":"Martin, B.: Common vulnerabilities enumeration (cve), common weakness enumeration (cwe), and common quality enumeration (cqe): Attempting to systematically catalog the safety and security challenges for modern, networked, software-intensive systems. Ada Lett. 38(2), 9\u201342 (2019). https:\/\/doi.org\/10.1145\/3375408.3375410","journal-title":"Ada Lett."},{"key":"880_CR42","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/11734727_17","volume-title":"Information Security and Cryptology - ICISC 2005","author":"S Mauw","year":"2006","unstructured":"Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) Information Security and Cryptology - ICISC 2005, pp. 186\u2013198. Springer Berlin Heidelberg, Berlin, Heidelberg (2006)"},{"issue":"4","key":"880_CR43","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1109\/MSP.2005.88","volume":"3","author":"NR Mead","year":"2005","unstructured":"Mead, N.R., McGraw, G.: A portal for software security. IEEE Secur. Priv. 3(4), 75\u201379 (2005). https:\/\/doi.org\/10.1109\/MSP.2005.88","journal-title":"IEEE Secur. Priv."},{"key":"880_CR44","doi-asserted-by":"crossref","unstructured":"Mell, P., Grance, T.: The nist definition of cloud computing. Tech. rep., National Institute of Standards and Technology (2011). http:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-145.pdf","DOI":"10.6028\/NIST.SP.800-145"},{"key":"880_CR45","unstructured":"Mouratidis, H.: A natural extension of tropos methodology for modelling security. In: Proceedings Agent Oriented Methodologies Workshop (2002)"},{"key":"880_CR46","unstructured":"Mueller, B., et\u00a0al.: Owasp Mobile Security Testing Guide (2019). https:\/\/owasp.org\/www-project-mobile-security-testing-guide\/. Accessed 04 Feb 2021"},{"key":"880_CR47","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103180","volume":"129","author":"A Mu\u00f1oz","year":"2023","unstructured":"Mu\u00f1oz, A., R\u00edos, R., Rom\u00e1n, R., L\u00f3pez, J.: A survey on the (in) security of trusted execution environments. Comput. Secur. 129, 103180 (2023)","journal-title":"Comput. Secur."},{"key":"880_CR48","unstructured":"Myagmar, S., et\u00a0al.: Threat modeling as a basis for security requirements. In: Symposium on Requirements Engineering for Information Security (SREIS), vol. 2005, pp. 1\u20138. Citeseer, Citeseer (2005)"},{"key":"880_CR49","doi-asserted-by":"publisher","unstructured":"Noel, S., et\u00a0al.: Advances in topological vulnerability analysis. In: 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pp. 124\u2013129. IEEE, Washington, DC, USA (2009). https:\/\/doi.org\/10.1109\/CATCH.2009.19","DOI":"10.1109\/CATCH.2009.19"},{"key":"880_CR50","unstructured":"O\u2019Dea, S.: Number of mobile (cellular) subscriptions worldwide from 1993 to 2020 (2021). https:\/\/www.statista.com\/statistics\/262950\/global-mobile-subscriptions-since-1993\/"},{"issue":"1","key":"880_CR51","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1080\/19361610.2019.1545278","volume":"14","author":"A Omotosho","year":"2019","unstructured":"Omotosho, A., et al.: Threat modeling of internet of things health devices. J. Appl. Secur. Res. 14(1), 106\u2013121 (2019). https:\/\/doi.org\/10.1080\/19361610.2019.1545278","journal-title":"J. Appl. Secur. Res."},{"key":"880_CR52","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.103047","volume":"125","author":"SPR Rao","year":"2023","unstructured":"Rao, S.P.R., et al.: Threat modeling framework for mobile communication systems. Comput. Secur. 125, 103047 (2023). https:\/\/doi.org\/10.1016\/j.cose.2022.103047","journal-title":"Comput. Secur."},{"key":"880_CR53","unstructured":"Ou, X., Govindavajhala, S., Appel, A.W., et\u00a0al.: Mulval: a logic-based network security analyzer. In: USENIX Security Symposium, vol. 8, pp. 113\u2013128. Baltimore, MD (2005)"},{"key":"880_CR54","unstructured":"OWASP: Owasp samm (2022). https:\/\/owasp.org\/www-project-samm\/. Accessed 29 Feb 2024"},{"key":"880_CR55","unstructured":"OWASP, O.W.A.S.P.: Owasp top 10 - 2017: The ten most critical web application security risks. Tech. rep., OWASP Foundation (2017). https:\/\/www.owasp.org\/index.php\/OWASP_API_Security_Project"},{"key":"880_CR56","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1016\/j.datak.2015.07.007","volume":"98","author":"E Paja","year":"2015","unstructured":"Paja, E., Dalpiaz, F., Giorgini, P.: Modelling and reasoning about security requirements in socio-technical systems. Data Knowl. Eng. 98, 123\u2013143 (2015). https:\/\/doi.org\/10.1016\/j.datak.2015.07.007","journal-title":"Data Knowl. Eng."},{"key":"880_CR57","doi-asserted-by":"publisher","unstructured":"Popa, D., et\u00a0al.: A security framework for mobile cloud applications. In: 2013 11th RoEduNet International Conference, pp. 1\u20134. IEEE, Sinaia, Romania (2013). https:\/\/doi.org\/10.1109\/RoEduNet.2013.6511724","DOI":"10.1109\/RoEduNet.2013.6511724"},{"issue":"1","key":"880_CR58","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1016\/S1353-4858(09)70008-X","volume":"2009","author":"B Potter","year":"2009","unstructured":"Potter, B.: Microsoft SDL threat modelling tool. Netw. Secur. 2009(1), 15\u201318 (2009). https:\/\/doi.org\/10.1016\/S1353-4858(09)70008-X","journal-title":"Netw. Secur."},{"key":"880_CR59","unstructured":"Saitta, P., et\u00a0al.: Trike v. 1 methodology document [draft] (2005). https:\/\/www.octotrike.org\/papers. Accessed 04 Feb 2021"},{"issue":"1","key":"880_CR60","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1109\/MSP.2012.88","volume":"11","author":"K Salah","year":"2013","unstructured":"Salah, K., et al.: Using cloud computing to implement a security overlay network. IEEE Secur. Priv. 11(1), 44\u201353 (2013). https:\/\/doi.org\/10.1109\/MSP.2012.88","journal-title":"IEEE Secur. Priv."},{"key":"880_CR61","doi-asserted-by":"publisher","first-page":"16462","DOI":"10.1109\/ACCESS.2020.2965925","volume":"8","author":"MG Samaila","year":"2020","unstructured":"Samaila, M.G., Sequeiros, J.B.F., Sim\u014des, T., Freire, M.M., In\u00e1cio, P.R.M.: Iot-harpseca: a framework and roadmap for secure design and development of devices and applications in the IoT space. IEEE Access 8, 16462\u201316494 (2020). https:\/\/doi.org\/10.1109\/ACCESS.2020.2965925","journal-title":"IEEE Access"},{"key":"880_CR62","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1007\/978-0-387-88775-3_5","volume-title":"Representation of Security and Dependability Solutions","author":"F S\u00e1nchez-Cid","year":"2009","unstructured":"S\u00e1nchez-Cid, F., et al.: Representation of Security and Dependability Solutions, pp. 69\u201395. Springer US, Boston (2009). https:\/\/doi.org\/10.1007\/978-0-387-88775-3_5"},{"issue":"2","key":"880_CR63","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/s00766-013-0195-2","volume":"20","author":"R Scandariato","year":"2015","unstructured":"Scandariato, R., et al.: A descriptive study of microsoft\u2019s threat modeling technique. Requir. Eng. 20(2), 163\u2013180 (2015)","journal-title":"Requir. Eng."},{"issue":"12","key":"880_CR64","first-page":"21","volume":"24","author":"B Schneier","year":"1999","unstructured":"Schneier, B.: Attack trees. Dr. Dobb\u2019s J. 24(12), 21\u201329 (1999)","journal-title":"Dr. Dobb\u2019s J."},{"key":"880_CR65","unstructured":"Security, C.: Iriusrisk - threat modeling tool. https:\/\/continuumsecurity.net\/threat-modeling-tool\/ (2019). Accessed 22 Jan 2019"},{"key":"880_CR66","doi-asserted-by":"publisher","DOI":"10.1145\/3376123","author":"JABF Sequeiros","year":"2020","unstructured":"Sequeiros, J.A.B.F., et al.: Attack and system modeling applied to IoT, cloud, and mobile ecosystems: embedding security by design. ACM Comput. Surv. (2020). https:\/\/doi.org\/10.1145\/3376123","journal-title":"ACM Comput. Surv."},{"key":"880_CR67","doi-asserted-by":"publisher","unstructured":"Serrano, D., et\u00a0al.: Development of applications based on security patterns. In: 2009 Second International Conference on Dependability, pp. 111\u2013116. IEEE, Athens, Greece (2009). https:\/\/doi.org\/10.1109\/DEPEND.2009.23","DOI":"10.1109\/DEPEND.2009.23"},{"key":"880_CR68","unstructured":"Shevchenko, N., et al.: Threat modeling: a summary of available methods. Carnegie Mellon University Software Engineering Institute Pittsburgh United, Tech. rep. (2018)"},{"issue":"4","key":"880_CR69","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1109\/MSEC.2021.3125229","volume":"20","author":"Z Shi","year":"2022","unstructured":"Shi, Z., et al.: Threat modeling tools: a taxonomy. IEEE Secur. Priv. 20(4), 29\u201339 (2022). https:\/\/doi.org\/10.1109\/MSEC.2021.3125229","journal-title":"IEEE Secur. Priv."},{"issue":"11","key":"880_CR70","doi-asserted-by":"publisher","first-page":"2586","DOI":"10.1109\/JSAC.2017.2760478","volume":"35","author":"SN Shirazi","year":"2017","unstructured":"Shirazi, S.N., et al.: The extended cloud: review and analysis of mobile edge computing and fog from a security and resilience perspective. IEEE J. Sel. Areas Commun. 35(11), 2586\u20132595 (2017). https:\/\/doi.org\/10.1109\/JSAC.2017.2760478","journal-title":"IEEE J. Sel. Areas Commun."},{"key":"880_CR71","unstructured":"Shostack, A.: Experiences threat modeling at microsoft. In: J.\u00a0Whittle, J.\u00a0J\u00fcrjens, B.\u00a0Nuseibeh, G.\u00a0Dobson (eds.) Proceedings of the Workshop on Modeling Security (MODSEC08) held as part of the 2008 International Conference on Model Driven Engineering Languages and Systems (MODELS) Toulouse, France, September 28, 2008, CEUR Workshop Proceedings, vol. 413, pp. 1\u201311. CEUR-WS.org, Toulouse, France (2008). http:\/\/ceur-ws.org\/Vol-413\/paper12.pdf"},{"key":"880_CR72","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/s00766-004-0194-4","volume":"10","author":"G Sindre","year":"2005","unstructured":"Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10, 34\u201344 (2005)","journal-title":"Requir. Eng."},{"key":"880_CR73","unstructured":"van\u00a0der Stock, A., et\u00a0al.: The owasp top 10 2021 (2021). https:\/\/owasp.org\/Top10\/"},{"key":"880_CR74","unstructured":"ThreatModeler: Approaches to software threat modeling (2016). https:\/\/threatmodeler.com\/approaches-to-threat-modeling\/#"},{"key":"880_CR75","unstructured":"ThreatModeler: Threatmodeler software, inc - industry\u2019s #1 threat modeling plataform (2019). https:\/\/threatmodeler.com"},{"key":"880_CR76","doi-asserted-by":"crossref","unstructured":"UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis, 1st edn. Wiley Publishing, New Jersey (2015)","DOI":"10.1002\/9781118988374"},{"key":"880_CR77","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103284","volume":"130","author":"W Wide\u0142","year":"2023","unstructured":"Wide\u0142, W., et al.: The meta attack language\u2014a formal description. Comput. Secur. 130, 103284 (2023). https:\/\/doi.org\/10.1016\/j.cose.2023.103284","journal-title":"Comput. Secur."},{"key":"880_CR78","doi-asserted-by":"publisher","unstructured":"Williams, I., Yuan, X.: Evaluating the effectiveness of microsoft threat modeling tool. In: Proceedings of the 2015 Information Security Curriculum Development Conference, InfoSec \u201915. Association for Computing Machinery, New York, NY, USA (2015). https:\/\/doi.org\/10.1145\/2885990.2885999","DOI":"10.1145\/2885990.2885999"},{"key":"880_CR79","unstructured":"Wuyts, K., Joosen, W.: Linddun privacy threat modeling: a tutorial. Katholieke Universiteit Leuven, Heverlee, Belgium, Tech. rep. (2015)"},{"key":"880_CR80","doi-asserted-by":"publisher","unstructured":"Wuyts, K., et\u00a0al.: Linddun go: A lightweight approach to privacy threat modeling. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS PW), pp. 302\u2013309. IEEE, Genoa, Italy (2020). https:\/\/doi.org\/10.1109\/EuroSPW51379.2020.00047","DOI":"10.1109\/EuroSPW51379.2020.00047"},{"issue":"1","key":"880_CR81","doi-asserted-by":"publisher","first-page":"157","DOI":"10.1007\/s10270-021-00898-7","volume":"21","author":"W Xiong","year":"2022","unstructured":"Xiong, W., Legrand, E., \u00c5berg, O., Lagerstr\u00f6m, R.: Cyber security threat modeling based on the MITRE enterprise ATT &CK matrix. Softw. Syst. Model. 21(1), 157\u2013177 (2022). https:\/\/doi.org\/10.1007\/s10270-021-00898-7","journal-title":"Softw. Syst. Model."}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00880-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-024-00880-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00880-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,15]],"date-time":"2024-07-15T03:22:49Z","timestamp":1721013769000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-024-00880-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,4]]},"references-count":81,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2024,8]]}},"alternative-id":["880"],"URL":"https:\/\/doi.org\/10.1007\/s10207-024-00880-6","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,4]]},"assertion":[{"value":"4 July 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"All the authors of this paper declare that he\/she has no Conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This article does not contain any studies with human participants or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}]}}