With the increasing prevalence of open and connected products, cybersecurity has become a serious issue in safety-critical domains such as the automotive industry. As a result, regulatory bodies have become more stringent in their requirements for cybersecurity, necessitating security assurance for products developed in these domains. In response, companies have implemented new or modified processes to incorporate security into their product development lifecycle, resulting in a large amount of evidence being created to support claims about the achievement of a certain level of security. However, managing evidence is not a trivial task, particularly for complex products and systems. This paper presents a qualitative interview study conducted in six companies on the maturity of managing security evidence in safety-critical organizations. We find that the current maturity of managing security evidence is insufficient for the increasing requirements set by certification authorities and standardization bodies. Organisations currently fail to identify relevant artifacts as security evidence and manage this evidence on an organizational level. One part of the reason are educational gaps, the other a lack of processes. The impact of AI on the management of security evidence is still an open question

翻译：随着开放互联产品的日益普及，网络安全已成为汽车工业等安全关键领域中的严峻问题。为此，监管机构对网络安全要求日趋严格，促使这些领域的产品开发必须实现安全保障。企业为应对这一趋势，已实施新增或改进流程将安全纳入产品开发生命周期，由此产生大量用于证明达到特定安全等级的支撑证据。然而，对于复杂产品与系统而言，证据管理绝非易事。本文通过对六家企业开展定性访谈研究，揭示了安全关键组织中安全证据管理的成熟度现状。研究发现，当前安全证据的管理成熟度难以满足认证机构与标准化组织日益严苛的要求——企业普遍未能将相关工件识别为安全证据，也未能在组织层面实施有效管理。究其原因，既有教育层面的不足，亦有流程缺失。人工智能对安全证据管理的影响仍是尚待解答的开放性问题。