Background

The design of software systems plays a crucial role in mitigating cybersecurity incidents. Security by Design (SbD) aims to ensure foundational security throughout the design process. However, it lacks a precise interdisciplinary definition. Comparing it with Privacy by Design (PbD), which has seen more conceptual development, highlights the need for a comprehensive understanding of SbD.

Objectives

This study systematically searches and reviews relevant definitions of SbD in comparison with PbD.

Method

Following PRISMA guidelines, we conducted a systematic review of SbD and PbD definitions, searching ACM Digital Library, EBSCO Library, IEEE Xplore, ProQuest, Scopus, and Web of Science. A total of 46 studies were included, identifying 86 definitions. Thirteen themes were identified, including ontology, object of protection, outcome to avoid, means of implementation, added value, and focus of the definition.

Results

Definitions varied in their descriptions of SbD and PbD, the objects of protection, outcomes to avoid, means of implementation, and lifecycle focus. PbD definitions adopted a rights-based approach, anchored in Ann Cavoukian's principles and an interdisciplinary perspective.

Discussion

SbD and PbD definitions lack clarity and uniformity. PbD is better defined, while SbD lacks anchorage and has varied approaches. Both should protect individuals and organizations, address cyber-attacks, and be implemented early in the development process. PbD is more comprehensive, involving technology and organization, while SbD focuses mainly on the technical product. PbD is associated with recognized rights, but the connection between SbD and human rights is unclear. Future research should clarify the specific value protected by SbD, adopt principles from PbD, and take an interdisciplinary approach.

中文翻译：

---

屏蔽软件系统：基于系统文献综述的设计安全性和设计隐私性的比较

背景

软件系统的设计在减轻网络安全事件方面发挥着至关重要的作用。设计安全 (SbD) 旨在确保整个设计过程的基础安全。然而，它缺乏精确的跨学科定义。与隐私设计 (PbD) 相比，后者已经有了更多的概念发展，凸显了对 SbD 进行全面理解的必要性。

目标

本研究系统检索并回顾了SbD的相关定义并与PbD进行比较。

方法

遵循 PRISMA 指南，我们对 SbD 和 PbD 定义进行了系统回顾，检索了 ACM Digital Library、EBSCO Library、IEEE Xplore、ProQuest、Scopus 和 Web of Science。总共纳入 46 项研究，确定 86 个定义。确定了十三个主题，包括本体、保护对象、要避免的结果、实施手段、附加值和定义的重点。

结果

定义在 SbD 和 PbD 的描述、保护对象、要避免的结果、实施手段和生命周期重点方面有所不同。PbD 定义采用了基于权利的方法，以 Ann Cavoukian 的原则和跨学科视角为基础。

讨论

SbD 和 PbD 定义缺乏明确性和统一性。PbD 的定义更好，而 SbD 缺乏锚定并且有多种方法。两者都应该保护个人和组织，解决网络攻击，并在开发过程的早期实施。PbD 更加全面，涉及技术和组织，而 SbD 主要关注技术产品。PbD 与公认的权利相关，但 SbD 与人权之间的联系尚不清楚。未来的研究应明确 SbD 保护的具体价值，采用 PbD 的原则，并采取跨学科的方法。