Data-flow-based adaption of the System-Theoretic Process Analysis for Security (STPA-Sec)

Security analysis is an essential activity in security engineering to identify potential system vulnerabilities and specify requirements the early design phases. Due increasing complexity of modern systems, traditional approaches lack power insecure incidents caused by complex interactions among physical human social entities. By contrast, System-Theoretic Process Analysis for (STPA-Sec) approach views losses as resulting from interactions, focuses on controlling instead external threats, applicable socio-technical systems. However, STPA-Sec pays less attention non-safety but information-security issues (e.g., data confidentiality) lacks efficient guidance identifying information concepts. In this article, we propose a data-flow-based adaption (named STPA-DFSec) overcome mentioned limitations elicit constraints systematically. We use STPA-DFSec analyze vehicle digital key investigate relationship differences between both approaches, their applicability, highlights. To conclude, proposed can information-related problems more directly processing aspect. As STPA-Sec, it be used with other STPA-based co-design systems multi-disciplines under unified STPA framework.