{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,12]],"date-time":"2025-11-12T14:17:07Z","timestamp":1762957027894,"version":"3.41.0"},"reference-count":28,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,1,31]],"date-time":"2023-01-31T00:00:00Z","timestamp":1675123200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Cyber-Phys. Syst."],"published-print":{"date-parts":[[2023,1,31]]},"abstract":"<jats:p>Security Assurance Cases (SAC) are structured arguments and evidence bodies used to reason about the security of a certain system. SACs are gaining focus in the automotive industry, as the needs for security assurance are growing in this domain. However, the state-of-the-arts lack a mature approach able to suit the needs of the automotive industry. In this article, we present CASCADE, an asset-driven approach for creating SAC, which is inspired by the upcoming security standard ISO\/SAE-21434 as well as the internal needs of automotive Original Equipment Manufacturers (OEMs). CASCADE also differentiates itself from the state-of-the-art by incorporating a way to reason about the quality of the constructed security assurance case. We created the approach by conducting an iterative design science research study. We illustrate the results using the example case of the road vehicle\u2019s headlamp provided in the ISO standard. We also illustrate how our approach aligns well with the structure and content of the ISO\/SAE-21434 standard, hence demonstrating the practical applicability of CASCADE in an industrial context.<\/jats:p>","DOI":"10.1145\/3569459","type":"journal-article","created":{"date-parts":[[2022,11,16]],"date-time":"2022-11-16T13:03:19Z","timestamp":1668603799000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["CASCADE: An Asset-driven Approach to Build Security Assurance Cases for Automotive Systems"],"prefix":"10.1145","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3446-1265","authenticated-orcid":false,"given":"Mazen","family":"Mohamad","sequence":"first","affiliation":[{"name":"Chalmers and University of Gothenburg, Chalmersplatsen, Gothenburg, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5656-9253","authenticated-orcid":false,"given":"Rodi","family":"Jolak","sequence":"additional","affiliation":[{"name":"Chalmers and University of Gothenburg, Chalmersplatsen, Gothenburg, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0755-229X","authenticated-orcid":false,"given":"\u00d6rjan","family":"Askerdal","sequence":"additional","affiliation":[{"name":"Volvo Trucks, Gothenburg, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1694-0972","authenticated-orcid":false,"given":"Jan-Philipp","family":"Stegh\u00f6fer","sequence":"additional","affiliation":[{"name":"Chalmers and University of Gothenburg, Chalmersplatsen, Gothenburg, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3591-7671","authenticated-orcid":false,"given":"Riccardo","family":"Scandariato","sequence":"additional","affiliation":[{"name":"Hamburg University of Technology, Hamburg, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,2,20]]},"reference":[{"key":"e_1_3_3_2_2","unstructured":"Adelard. 2022. Claims Arguments and Evidence (CAE) . https:\/\/www.adelard.com\/asce\/cae\/. Accessed July 12 2022."},{"key":"e_1_3_3_3_2","unstructured":"The MITRE Corporation (MITRE). 2022. Common Attack Pattern Enumeration and Classification (CAPEC) . http:\/\/capec.mitre.org\/. Accessed July 2 2022."},{"key":"e_1_3_3_4_2","doi-asserted-by":"crossref","unstructured":"Sebastian Herold Holger Klus Yannick Welsch Constanze Deiters Andreas Rausch Ralf Reussner Klaus Krogmann Heiko Koziolek Raffaela Mirandola Benjamin Hummel et\u00a0al. 2008. CoCoME-the common component modeling example. In Proceeding of the Common Component Modeling Example Springer 16\u201353.","DOI":"10.1007\/978-3-540-85289-6_3"},{"key":"e_1_3_3_5_2","first-page":"197","volume-title":"International Conference on Computer Safety, Reliability, and Security","author":"McCaffery A. Finnegan and F.","year":"2014","unstructured":"A. Finnegan and F. McCaffery. 2014. Towards an international security case framework for networked medical devices. In International Conference on Computer Safety, Reliability, and Security. Springer, 197\u2013209."},{"key":"e_1_3_3_6_2","unstructured":"Rob Alexander Richard Hawkins and Tim Kelly. 2011. Security assurance cases: Motivation and the state of the art. High Integrity Systems Engineering Department of Computer Science University of York Deramore Lane York YO10 5GH . https:\/\/www-users.cs.york.ac.uk\/rhawkins\/papers\/York%20CESG%20security%20case%20report.pdf."},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/HASE.2005.20"},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/EDCC.2014.24"},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/DEPCOS-RELCOMEX.2007.44"},{"key":"e_1_3_3_10_2","doi-asserted-by":"crossref","first-page":"220","DOI":"10.1109\/ISSREW.2014.89","volume-title":"IEEE International Symposium on Software Reliability Engineering Workshops","author":"Finnegan Anita","year":"2014","unstructured":"Anita Finnegan and Fergal McCaffery. 2014. A security argument pattern for medical device assurance cases. In IEEE International Symposium on Software Reliability Engineering Workshops. IEEE, 220\u2013225."},{"key":"e_1_3_3_11_2","unstructured":"Charles B. Weinstock Howard F. Lipson and John Goodenough. 2007. Arguing security-creating security assurance cases. Technical Report. Carnegie Mellon University. https:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=293629. Accessed July 12 2022."},{"key":"e_1_3_3_12_2","unstructured":"GSN Community Standard Working Group. 2011. GSN community standard. Retrieved from www.goalstructuringnotation.info\/."},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2007.70754"},{"key":"e_1_3_3_14_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-85729-133-2_1"},{"key":"e_1_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.2307\/25148625"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","DOI":"10.5555\/1202957"},{"key":"e_1_3_3_17_2","unstructured":"International Organization for Standardization. 1999. Information technology \u2014 Security techniques \u2013 Evaluation criteria for IT security \u2013 Part 1: Introduction and general model. https:\/\/www.iso.org\/standard\/27632.html. Accessed July 12 2022."},{"key":"e_1_3_3_18_2","unstructured":"International Organization for Standardization. 2018. ISO 27005 Information technology \u2014 Security techniques \u2014 Information security risk management. https:\/\/www.iso.org\/standard\/75281.html. Accessed July 7 2022."},{"key":"e_1_3_3_19_2","unstructured":"International Organization for Standardization. 2018. ISO 26262 Road vehicles \u2013 Functional safety 2nd ed. https:\/\/www.iso.org\/standard\/68383.html. Accessed July 12 2022."},{"key":"e_1_3_3_20_2","unstructured":"International Organization for Standardization and Society of Automotive Engineers. 2018. ISO \/ SAE 21434 Road vehicles \u2013 Cybersecurity Engineering CD Draft. https:\/\/www.iso.org\/standard\/70918.html. Accessed July 12 2022."},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2015.68"},{"key":"e_1_3_3_22_2","volume-title":"8th International Conference on Information Society and Technology","author":"Luburi\u0107 Nikola","year":"2018","unstructured":"Nikola Luburi\u0107, Goran Sladi\u0107, Branko Milosavljevi\u0107, and Aleksandar Kaplar. 2018. Demonstrating enterprise system security using an asset-centric security assurance framework. In 8th International Conference on Information Society and Technology."},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/EnCyCriS52570.2021.00012"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3407023.3407033"},{"key":"e_1_3_3_25_2","unstructured":"Gdansk University of Technology. 2010\u20132019. NOR-STA. Retrieved from https:\/\/www.nor-sta.eu\/en\/."},{"key":"e_1_3_3_26_2","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1109\/SecDev45635.2020.00028","volume-title":"IEEE Secure Development (SecDev)","author":"Rosenstatter Thomas","year":"2020","unstructured":"Thomas Rosenstatter, Kim Strandberg, Rodi Jolak, Riccardo Scandariato, and Tomas Olovsson. 2020. REMIND: A framework for the resilient design of automotive systems. In IEEE Secure Development (SecDev). IEEE, 81\u201395."},{"key":"e_1_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4471-2312-5"},{"key":"e_1_3_3_28_2","doi-asserted-by":"crossref","unstructured":"Bill Kuechler and Vijay Vaishnavi. 2008. On theory development in design science research: anatomy of a research project. European Journal of Information Systems 17 5 (2008) 489\u2013504.","DOI":"10.1057\/ejis.2008.40"},{"key":"e_1_3_3_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISSREW.2017.52"}],"container-title":["ACM Transactions on Cyber-Physical Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3569459","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3569459","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:48:56Z","timestamp":1750182536000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3569459"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,31]]},"references-count":28,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,1,31]]}},"alternative-id":["10.1145\/3569459"],"URL":"https:\/\/doi.org\/10.1145\/3569459","relation":{},"ISSN":["2378-962X","2378-9638"],"issn-type":[{"type":"print","value":"2378-962X"},{"type":"electronic","value":"2378-9638"}],"subject":[],"published":{"date-parts":[[2023,1,31]]},"assertion":[{"value":"2021-07-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-09-14","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-02-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}