Defining Security Requirements With the Common Criteria: Applications, Adoptions, and Challenges

Nan Sun; Chang-Tsun Li; Hin Chan; Ba Dung Le; Md Zahidul Islam; Leo Yu Zhang; Md Rafiqul Islam; Warren Armstrong

doi:10.1109/ACCESS.2022.3168716

IEEE Access (Jan 2022)

Defining Security Requirements With the Common Criteria: Applications, Adoptions, and Challenges

Nan Sun,
Chang-Tsun Li,
Hin Chan,
Ba Dung Le,
Md Zahidul Islam,
Leo Yu Zhang,
Md Rafiqul Islam,
Warren Armstrong

Affiliations

Nan Sun: ORCiD; School of Engineering and Information Technology, University of New South Wales, Canberra, ACT, Australia
Chang-Tsun Li: ORCiD; School of Information Technology, Deakin University, Waurn Ponds, VIC, Australia
Hin Chan: Australian Cyber Security Centre, Kingston, ACT, Australia
Ba Dung Le: Cyber Security Cooperative Research Centre, Joondalup, WA, Australia
Md Zahidul Islam: School of Computing, Mathematics and Engineering, Charles Sturt University, Bathurst, NSW, Australia
Leo Yu Zhang: ORCiD; School of Information Technology, Deakin University, Waurn Ponds, VIC, Australia
Md Rafiqul Islam: ORCiD; School of Computing, Mathematics and Engineering, Charles Sturt University, Albury, NSW, Australia
Warren Armstrong: ORCiD; QuintessenceLabs Pty Ltd., Canberra, ACT, Australia

DOI: https://doi.org/10.1109/ACCESS.2022.3168716
Journal volume & issue: Vol. 10
pp. 44756 – 44777

Abstract

Read online

Advances in emerging Information and Communications Technology (ICT) technologies push the boundaries of what is possible and open up new markets for innovative ICT products and services. The adoption of ICT products and systems with security properties depends on consumers’ confidence and markets’ trust in the security functionalities and whether the assurance measures applied to these products meet the inherent security requirements. Such confidence and trust are primarily gained through the rigorous development of security requirements, validation criteria, evaluation, and certification. The Common Criteria for Information Technology Security Evaluation (often referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for cyber security. Motivated by encouraging the adoption of the CC that is used for ICT security evaluation and certification, in this paper, we conduct a systematic review of the CC standard and its adoptions. Adoption barriers of the CC are investigated based on the analysis of current trends in cyber security evaluation. In addition, we share the experiences and lessons gained through the recent Development of Australian Cyber Criteria Assessment (DACCA) project on the development of the Protection Profile that defines security requirements with the CC. Best practices, challenges, and future directions on defining security requirements for trusted cyber security advancement are presented.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords