{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T17:03:30Z","timestamp":1768583010843,"version":"3.49.0"},"reference-count":51,"publisher":"IGI Global","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018,1]]},"abstract":"<jats:p>Safety is a fundamental concern in modern society, and security is a precondition for safety. Ensuring safety and security of complex integrated systems requires a coordinated approach that involve different stakeholder groups going beyond safety and security experts and system developers. The authors have therefore proposed CHASSIS (Combined Harm Assessment of Safety and Security for Information Systems), a method for collaborative determination of requirements for safe and secure systems. In this article, the authors evaluate CHASSIS through industrial case studies of two small-to-medium sized suppliers to the air-traffic management (ATM) sector. The results suggest that CHASSIS is easy to use, and that handling safety and security together provides benefits because techniques, information, and knowledge can be reused. The authors conclude that further exploration and development of CHASSIS is worthwhile, but that better documentation is needed\u2014including more detailed process guidelines\u2014to support elicitation of security and safety requirements and to systematically relate them to functional requirements.<\/jats:p>","DOI":"10.4018\/jcit.2018010104","type":"journal-article","created":{"date-parts":[[2018,1,3]],"date-time":"2018-01-03T01:21:59Z","timestamp":1514942519000},"page":"46-69","source":"Crossref","is-referenced-by-count":5,"title":["Combined Assessment of Software Safety and Security Requirements"],"prefix":"10.4018","volume":"20","author":[{"given":"Christian","family":"Raspotnig","sequence":"first","affiliation":[{"name":"ATM System Development, Avinor Air Navigation Services, Gardermoen"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Peter","family":"Karpati","sequence":"additional","affiliation":[{"name":"Institute for Energy Technology, Halden, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andreas L","family":"Opdahl","sequence":"additional","affiliation":[{"name":"Department of Information Science and Media Studies, University of Bergen, Bergen, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"2432","reference":[{"key":"JCIT.2018010104-0","author":"E. G.Amoroso","year":"1994","journal-title":"Fundamentals of Computer Security Technology"},{"key":"JCIT.2018010104-1","doi-asserted-by":"crossref","unstructured":"Ant\u00f3n, A.I., and Earp, J.B. (2000). Strategies for developing policies and requirements for secure electronic commerce systems. E-commerce security and privacy, 2.","DOI":"10.1007\/978-1-4615-1467-1_5"},{"key":"JCIT.2018010104-2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.2"},{"key":"JCIT.2018010104-3","doi-asserted-by":"publisher","DOI":"10.1007\/11908883_6"},{"key":"JCIT.2018010104-4","doi-asserted-by":"publisher","DOI":"10.1016\/0167-6423(93)90021-G"},{"key":"JCIT.2018010104-5","doi-asserted-by":"publisher","DOI":"10.2307\/249008"},{"key":"JCIT.2018010104-6","doi-asserted-by":"crossref","unstructured":"Dobbing, B., & Lautieri, S. (2007). Dependability-by-Contract. In F. Redmill & T. Anderson (Eds.), The Safety of Systems,Proc. Fifteenth Safety-Critical Systems Symposium, Bristol, UK, February 13\u201315 (pp. 35\u201351). Springer.","DOI":"10.1007\/978-1-84628-806-7_3"},{"key":"JCIT.2018010104-7","unstructured":"Elahi, G. (2012). Making Trade-offs among Security and Other Requirements during System Design [PhD Thesis]. Univ. of Toronto."},{"key":"JCIT.2018010104-8","article-title":"Fault Tree Analysis \u2013 A History.","author":"C. A.Ericson","year":"1999","journal-title":"Proc. 17th International System Safety Conference"},{"key":"JCIT.2018010104-9","doi-asserted-by":"publisher","DOI":"10.1002\/0471739421"},{"key":"JCIT.2018010104-10","unstructured":"Eurocontrol Safety Assessment Methodology Task Force. (2004). Functional Hazard Assessment \u2013 Guidance Material B1, edition 2.0."},{"key":"JCIT.2018010104-11","year":"2006","journal-title":"Air navigation safety assessment methodology"},{"key":"JCIT.2018010104-12","article-title":"The CORAS methodology for model-based risk assessment.","author":"B. A.Gran","year":"2003"},{"key":"JCIT.2018010104-13","unstructured":"Herrmann, A., Morali, A., Etalle, S. & Wieringa, R. (2011). RiskREP: Risk-based Security Requirements Elicitation and Prioritization."},{"key":"JCIT.2018010104-14","year":"2006","journal-title":"IEC 60812 Analysis techniques for system reliability \u2013 Procedure for failure mode and effects analysis"},{"key":"JCIT.2018010104-15","article-title":"UMLsec: Extending UML for Secure Systems Development. The Unified Modeling Language","author":"J.J\u00fcrjens","year":"2002","journal-title":"5th International Conference (UML 2002)"},{"key":"JCIT.2018010104-16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-16782-9_1"},{"key":"JCIT.2018010104-17","unstructured":"Kriaa, S., Raspotnig, C., Bouissou, M., Pi\u00e8tre-Cambac\u00e9d\u00e8s, L., Karpati, P., Halgand, Y., & Katta, V. (2013). Comparing two approaches to safety and security modelling: BDMP technique and CHASSIS method. In Proc. Enlarged Halden Group Meeting, Storefjell, Norway. OECD Halden Reactor Project."},{"key":"JCIT.2018010104-18","author":"N. G.Leveson","year":"2011","journal-title":"Engineering a Safer World: Systems Thinking Applied to Safety"},{"key":"JCIT.2018010104-19","doi-asserted-by":"publisher","DOI":"10.1109\/ICRE.2003.1232791"},{"key":"JCIT.2018010104-20","unstructured":"Lin, L., Nuseibeh, B., Ince, D., & Jackson, M. (2004). Using Abuse Frames to Bound the Scope of Security Problems. In Proc. 12th IEEE International Requirements Engineering Conference (RE\u201904), Kyoto, Japan. IEEE."},{"key":"JCIT.2018010104-21","doi-asserted-by":"publisher","DOI":"10.1109\/ICRE.2003.1232746"},{"key":"JCIT.2018010104-22","doi-asserted-by":"crossref","unstructured":"Lodderstedt, T., Basin, D., & Doser, J. (2002). SecureUML: A UML-Based Modeling Language for Model-Driven Security. The Unified Modeling Language. In Proc. 5th Int\u2019l Conf. (UML 2002), Dresden, Germany. Springer.","DOI":"10.1007\/3-540-45800-X_33"},{"key":"JCIT.2018010104-23","doi-asserted-by":"crossref","unstructured":"Lund, M.S., Solhaug, B., & St\u00f8len, K. (2011a). Model-Driven Risk Analysis \u2013 The CORAS Approach. Springer.","DOI":"10.1007\/978-3-642-12323-8"},{"key":"JCIT.2018010104-24","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23082-0_9"},{"key":"JCIT.2018010104-25","author":"F.Massacci","year":"2006","journal-title":"Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank. Social Modeling for Requirements Engineering. P. Giorgini, N. A. M. Maiden, J. Mylopoulos and E. Yu"},{"key":"JCIT.2018010104-26","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-69534-9_40"},{"key":"JCIT.2018010104-27","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.1999.816013"},{"key":"JCIT.2018010104-28","doi-asserted-by":"publisher","DOI":"10.1142\/S0218194007003240"},{"key":"JCIT.2018010104-29","doi-asserted-by":"publisher","DOI":"10.1016\/j.is.2004.06.002"},{"key":"JCIT.2018010104-30","author":"C.Perrow","year":"1999","journal-title":"Normal Accidents: Living with High-Risk Technologies"},{"key":"JCIT.2018010104-31","doi-asserted-by":"publisher","DOI":"10.1109\/EDCC.2010.32"},{"key":"JCIT.2018010104-32","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-31072-0_24"},{"key":"JCIT.2018010104-33","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2013.102"},{"key":"JCIT.2018010104-34","doi-asserted-by":"publisher","DOI":"10.4018\/jsse.2012010102"},{"key":"JCIT.2018010104-35","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-28714-5_10"},{"key":"JCIT.2018010104-36","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2012.12.002"},{"key":"JCIT.2018010104-37","unstructured":"Schneier, B. (1999). Attack Trees. Dr. Dobb's Journal, December."},{"key":"JCIT.2018010104-38","author":"B.Schneier","year":"2000","journal-title":"Secrets and Lies: Digital Security in a Networked World"},{"key":"JCIT.2018010104-39","unstructured":"Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., & Sommerlad, P. (Eds.). (2005). Security Patterns: Integrating Security and Systems Engineering. Wiley."},{"key":"JCIT.2018010104-40","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-73947-2_20"},{"key":"JCIT.2018010104-41","article-title":"Eliciting Security Requirements by Misuse Cases.","author":"G.Sindre","year":"2000","journal-title":"Proc. TOOLS Pacific 2000"},{"key":"JCIT.2018010104-42","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-004-0194-4"},{"key":"JCIT.2018010104-43","unstructured":"Society of Automotive Engineers (SAE). (1996). Guidelines and methods for conducting the safety assessment process on civil airborne systems and equipment, December."},{"key":"JCIT.2018010104-44","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30144-8_35"},{"key":"JCIT.2018010104-45","author":"W.Stallings","year":"2008","journal-title":"Computer security"},{"key":"JCIT.2018010104-46","author":"D. H.Stamatis","year":"1995","journal-title":"Failure Mode and Effect Analysis: FMEA from Theory to Execution"},{"key":"JCIT.2018010104-47","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2004.1317437"},{"key":"JCIT.2018010104-48","doi-asserted-by":"publisher","DOI":"10.1109\/32.879820"},{"key":"JCIT.2018010104-49","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45416-0_2"},{"key":"JCIT.2018010104-50","author":"R. K.Yin","year":"2008","journal-title":"Case Study Research: Design and Methods"}],"container-title":["Journal of Cases on Information Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=196657","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,6]],"date-time":"2022-05-06T09:49:14Z","timestamp":1651830554000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/JCIT.2018010104"}},"subtitle":["An Industrial Evaluation of the CHASSIS Method"],"short-title":[],"issued":{"date-parts":[[2018,1]]},"references-count":51,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.4018\/jcit.2018010104","relation":{},"ISSN":["1548-7717","1548-7725"],"issn-type":[{"value":"1548-7717","type":"print"},{"value":"1548-7725","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,1]]}}}