A Security-Evaluation Framework for Mobile Cross-Border e-Government Solutions

Security evaluation is crucial for any security-critical system. In this context, a system can mean technical systems, organizations, or any other entity with certain security requirements. The major challenge in doing risk analysis is the trade-off between completeness and complexity. When done on a more abstract level, certain risks are potentially overlooked. When done on a very detailed level, risk analyses quickly become complex and exceed available resources. To tackle this challenge, various norms and standards propose different security evaluation methodologies. These methodologies vary depending on their target scope. Also, these standards typically remain on a rather abstract level to ensure broad applicability to different systems. In practice, this often complicates the application of these standards to concrete technical systems. In this paper, we tackle this issue by proposing a customized security-evaluation framework tailored to the special characteristics of cross-border e-government services. The proposed framework does not re-invent the wheel but combines aspects and approaches of established norms and standards to cherry-pick from each standard those aspects most beneficial for the given context. We evaluated the proposed framework by applying it to a set of software building blocks, which have been developed in the Horizon-2020 project mGov4EU and leverage mobile cross-border e-government services in Europe. The conducted evaluation shows that the proposed framework facilitates the practical application of security evaluations in the targeted domain and supports evaluators in handling the trade-off between completeness and complexity.