Defining Security Requirements With the Common Criteria: Applications, Adoptions, and Challenges

Advances in emerging Information and Communications Technology (ICT) technologies push the boundaries of what is possible and open up new markets for innovative ICT products and services. The adoption of ICT products and systems with security properties depends on consumers' confidence and markets' trust in the security functionalities and whether the assurance measures applied to these products meet the inherent security requirements. Such confidence and trust are primarily gained through the rigorous development of security requirements, validation criteria, evaluation, and certification. The Common Criteria for Information Technology Security Evaluation (often referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for cyber security. Motivated by encouraging the adoption of the CC that is used for ICT security evaluation and certification, in this paper, we conduct a systematic review of the CC standard and its adoptions. Adoption barriers of the CC are investigated based on the analysis of current trends in cyber security evaluation. In addition, we share the experiences and lessons gained through the recent Development of Australian Cyber Criteria Assessment (DACCA) project on the development of the Protection Profile that defines security requirements with the CC. Best practices, challenges, and future directions on defining security requirements for trusted cyber security advancement are presented.