Skip to main content
Springer Nature Link
Log in

Integrated Design Framework for Facilitating Systems-Theoretic Process Analysis

  • Conference paper
  • First Online:
Computer Security. ESORICS 2021 International Workshops (ESORICS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13106))

Included in the following conference series:

  • 1793 Accesses

Abstract

Systems-Theoretic Process Analysis (STPA) helps mitigate identified safety hazards leading to unfortunate situations. Usually, a systematic step-by-step approach is followed by safety experts irrespective of any software based tool-support, but identified hazards should be associated with security risks and human factors issues. In this paper, a design framework using Integrating Requirements and Information Security (IRIS) and open source Computer Aided Integration of Requirements and Information Security (CAIRIS) tool-support is used to facilitate the application of STPA. Our design framework lays the foundation for resolving safety, security and human factors issues for critical infrastructures. We have illustrated this approach with a case study based on real life Cambrian Coast Line Railway incident.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The final model created, including references to online sources used, is available at GitHub repository: https://github.com/s5121191/CyberICPS_21. This relies on the CAIRIS fork at https://github.com/s5121191/cairis.

  2. 2.

    This case study is applied for demonstration purpose only and in no way undermines any previous findings or studies.

References

  1. CENELEC - EN 50126–1 - Railway Applications - The Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS) - Part 1: Generic RAMS Process—Engineering360, October 2017. https://standards.globalspec.com/std/10262901/cenelec-en-50126-1

  2. Affairs, A.S.F.P.: Task Analysis. /how-to-and-tools/methods/task-analysis.html, September 2013

    Google Scholar 

  3. Altaf, A., Faily, S., Dogan, H., Mylonas, A., Thron, E.: Identifying safety and human factors issues in rail using IRIS and CAIRIS. In: Katsikas, S., et al. (eds.) CyberICPS/SECPRE/SPOSE/ADIoT-2019. LNCS, vol. 11980, pp. 98–107. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42048-2_7

    Chapter  Google Scholar 

  4. Altaf, A., Faily, S., Dogan, H., Mylonas, A., Thron, E.: Use-case informed task analysis for secure and usable design solutions in rail. In: Percia David, D., Mermoud, A., Maillart, T. (eds.) CRITIS 2021. LNCS, vol. 13139, pp. 168–185. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-93200-8_10

    Chapter  Google Scholar 

  5. Anna, G.: Methodological findings from applying STPA in cyber security case studies. In: MIT STAMP Conference. MIT Partnership for Systems Approaches to Safety and Security (PSASS), MIT Campus, Cambridge, USA, March 2019

    Google Scholar 

  6. Atzeni, A., Cameroni, C., Faily, S., Lyle, J., Flechais, I.: Here’s Johnny: a methodology for developing attacker personas. In: 2011 Sixth International Conference on Availability, Reliability and Security, pp. 722–727. IEEE Vienna, August 2011

    Google Scholar 

  7. Babeshko, E., Kharchenko, V., Gorbenko, A.: Applying F(I)MEA-technique for SCADA-based industrial control systems dependability assessment and ensuring. In: 2008 Third International Conference on Dependability of Computer Systems DepCoS-RELCOMEX (2008)

    Google Scholar 

  8. Baysari, M.T., McIntosh, A.S., Wilson, J.R.: Understanding the human factors contribution to railway accidents and incidents in Australia. Accid. Anal. Prev. 40(5), 1750–1757 (2008)

    Article  Google Scholar 

  9. BBC: ‘Lessons learnt’ over train speeding on Cambrian line. BBC News, December 2019

    Google Scholar 

  10. Bloomfield, R., Bishop, P., Butler, E., Stroud, R.: Security-informed safety: supporting stakeholders with codes of practice. Computer 51(8), 60–65 (2018)

    Article  Google Scholar 

  11. Dardenne, A., van Lamsweerde, A., Fickas, S.: Goal-directed requirements acquisition. Sci. Comput. Program. 20(1), 3–50 (1993)

    Article  Google Scholar 

  12. Diaper, D., Stanton, N.: The Handbook of Task Analysis for Human-Computer Interaction. CRC Press, Mahwah (2004)

    Google Scholar 

  13. Faily, S.: Designing Usable and Secure Software with IRIS and CAIRIS. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75493-2

    Book  Google Scholar 

  14. Faily, S., Fléchais, I.: Barry is not the weakest link: Eliciting Secure System Requirements with Personas, p. 8, September 2010

    Google Scholar 

  15. France, M.E.: Engineering for Humans: A New Extension to STPA. Thesis, Massachusetts Institute of Technology (2017)

    Google Scholar 

  16. IEC: IEC - TC 65/AHG (2019). https://www.iec.ch

  17. Jonsson, E., Olovsson, T.: On the Integration of Security and Dependability in Computer Systems, p. 6 (1998)

    Google Scholar 

  18. Kirwan, B.: Validation of human reliability assessment techniques: Part 1—validation issues. Saf. Sci. 27(1), 25–41 (1997)

    Article  Google Scholar 

  19. Lahoz, C.H.N.: Systematic review on STPA A preliminary study, p. 34 (2015)

    Google Scholar 

  20. Leveson, N.: Engineering a Safer and More Secure World, p. 72, June 2011

    Google Scholar 

  21. Leveson, N.: Systems-Theoretic Process Analysis Handbook, p. 188, March 2018

    Google Scholar 

  22. Mindermann, K., Riedel, F., Abdulkhaleq, A., Stach, C., Wagner, S.: Exploratory study of the privacy extension for system theoretic process analysis (STPA-Priv) to elicit privacy risks in eHealth. In: 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW), pp. 90–96. IEEE, Lisbon, September 2017

    Google Scholar 

  23. Norman, D.: Emotional Design: Why We Love (or Hate) Everyday Things. Basic Books, New York (2004)

    Google Scholar 

  24. O’Hare, D.: The ‘Wheel of Misfortune’: a taxonomic approach to human factors in accident investigation and analysis in aviation and other complex systems, vol. 43 (2001)

    Google Scholar 

  25. Pereira, D., Hirata, C., Pagliares, R., Nadjm-Tehrani, S.: COMBINED SAFETY AND SECURITY CONSTRAINTS ANALYSIS. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 70–80. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66284-8_7

    Chapter  Google Scholar 

  26. Pereira, D.P., Hirata, C., Nadjm-Tehrani, S.: A STAMP-based ontology approach to support safety and security analyses. J. Inf. Secur. Appl. 47, 302–319 (2019)

    Google Scholar 

  27. Piètre-Cambacédès, L., Bouissou, M.: Cross-fertilization between safety and security engineering. Reliab. Eng. Syst. Saf. 110, 110–126 (2013)

    Article  Google Scholar 

  28. RAIB: Loss of safety critical signalling data on the Cambrian Coast line. https://www.gov.uk/raib-reports/report-17-2019-loss-of-safety-critical-signalling-data-on-the-cambrian-coast-line, December 2019

  29. Reason, J.: Human Error by James Reason, October 1990

    Google Scholar 

  30. Schneier, B.: Academic: attack trees - Schneier on security by Dr. Dobb’s J. (1999). https://www.schneier.com/academic/archives/1999/12/attack_trees.html

  31. Schneier, B.: Secrets and Lies: Digital Security in a Networked World. Wiley, New Yok (2000)

    Google Scholar 

  32. Shorrock, S.T.: Errors of perception in air traffic control. Saf. Sci. 45(8), 890–904 (2007)

    Article  Google Scholar 

  33. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Indianapolis (2014)

    Google Scholar 

  34. Slominski, H.M.: Using STPA and CAST to Design for Serviceability and Diagnostics, p. 106, May 2020

    Google Scholar 

  35. Wiegmann, D.A., Shappell, S.A.: A Human Error Approach to Aviation Accident Analysis: The Human Factors Analysis and Classification System, 1st edn. Routledge, Aldershot (2003)

    Google Scholar 

  36. Winther, R., Johnsen, O.-A., Gran, B.A.: Security assessments of safety critical systems using HAZOPs. In: Voges, U. (ed.) SAFECOMP 2001. LNCS, vol. 2187, pp. 14–24. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45416-0_2

    Chapter  MATH  Google Scholar 

  37. Young, W., Leveson, N.G.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014)

    Article  Google Scholar 

Download references

Acknowledgements

The work described in this paper was funded by the BU studentship Integrating Safety, Security, and Human Factors Engineering in Rail Infrastructure Design & Evaluation.

Author information

Authors and Affiliations

  1. Bournemouth University, Poole, UK

    Amna Altaf & Huseyin Dogan

  2. Robert Gordon University, Aberdeen, UK

    Shamal Faily

  3. CCD Design and Ergonomics Ltd., London, UK

    Eylem Thron

  4. University of Hertfordshire, Hatfield, UK

    Alexios Mylonas

Authors
  1. Amna Altaf
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shamal Faily
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Huseyin Dogan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Eylem Thron
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alexios Mylonas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amna Altaf .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  3. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  4. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  7. University of Nottingham, Nottingham, UK

    Steven Furnell

  8. Technische Universität Berlin, Berlin, Germany

    Frank Pallas

  9. Alexander von Humboldt Institut für Internet und Gesellschaft gGmbH, Berlin, Germany

    Jörg Pohle

  10. Ruhr-Universität Bochum, Bochum, Germany

    M. Angela Sasse

  11. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  12. University of Trento and Fondazione Bruno Kessler, Trento, Italy

    Silvio Ranise

  13. Università degli Studi di Genova, Genoa, Italy

    Luca Verderame

  14. Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  15. Indra, Alcobendas, Spain

    Jorge Maestre Vidal

  16. Indra, Alcobendas, Spain

    Marco Antonio Sotelo Monge

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Altaf, A., Faily, S., Dogan, H., Thron, E., Mylonas, A. (2022). Integrated Design Framework for Facilitating Systems-Theoretic Process Analysis. In: Katsikas, S., et al. Computer Security. ESORICS 2021 International Workshops. ESORICS 2021. Lecture Notes in Computer Science(), vol 13106. Springer, Cham. https://doi.org/10.1007/978-3-030-95484-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-95484-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-95483-3

  • Online ISBN: 978-3-030-95484-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics