Towards Security Case Run-time Adaptation by System Decomposition into Services

For interconnected and complex systems, security is paramount for establishing trust in their correctness and design adequacy. Thus, security needs to be assured and a corresponding security assurance case needs to be presented to system stakeholders, security assessors, as well as to system users. However, security is dynamic by its nature and to maintain its acceptable security level, frequent updates might be required. Traditionally, a security assurance case is built from scratch whenever a change occurs, however given the cost of resources needed for such a task, a more effective and less time consuming way of handling updates is needed. Hence, the challenge of security case run-time adaptation is considered in this work. We survey the state of the art in security assurance and security case development to refine the challenge and identify system decomposition as one the enablers for security case run-time adaptation. We propose to apply system decomposition in terms of services and use service choreographies to facilitate security case run-time adaptation. The proposed approach is illustrated on an E-gas example.