Rodzoan, Muhammad Asyraf and M Ahmed, Husham and Jamaluddin, Mohammed Darwis Haikal and Koondhar, Muhammad Yaqoob (2026) A software engineering framework for secure cyber risk governance in critical energy infrastructure: a PRISMA-based systematic review. VFAST Transactions on Software Engineering, 14 (2). pp. 362-381. ISSN 2411-6246 E-ISSN 2309-3978
|
PDF
- Published Version
Restricted to Repository staff only Download (7MB) | Request a copy |
||
|
PDF
- Supplemental Material
Download (217kB) | Preview |
Abstract
The increasing digitalisation of critical energy infrastructure has elevated cybersecurity from a traditional information technology concern to a broader software engineering and risk governance challenge. While previous studies have examined cyber threats, regulatory requirements, and operational resilience independently, limited attention has been given to integrating secure software engineering practices with cyber risk governance in the energy sector. This study addresses that gap through a PRISMA 2020-based systematic literature review. A total of 1,092 records were identified from Scopus, Web of Science, Google Scholar, and authoritative institutional sources, of which 70 studies met the final inclusion criteria. The review synthesises evidence on IT/OT convergence, ransomware, supply-chain vulnerabilities, artificial intelligence, and emerging cybersecurity regulations affecting critical energy systems. The findings indicate that effective cyber resilience requires security to be embedded throughout the software development lifecycle rather than treated solely as a compliance activity. Based on the reviewed literature, a four-pillar framework encompassing regulatory compliance, operational technology security, third-party risk management, and AI governance is proposed and aligned with SSDLC and DevSecOps principles. The framework promotes secure-by-design architectures, continuous security validation, and lifecycle-oriented risk management for critical infrastructure applications. This study contributes an integrated software engineering perspective that connects cyber risk governance with secure software development practices. The proposed framework offers practical guidance for software engineers, cybersecurity practitioners, and policymakers seeking to strengthen resilience, improve compliance readiness, and support the secure evolution of critical energy infrastructure
| Item Type: | Article (Journal) |
|---|---|
| Uncontrolled Keywords: | Software Engineering, Secure Software Development SSDLC, DevSecOps, Cyber Risk Governance, Critical Infrastructure Security, OT Security, Artificial Intelligence Governance, PRISMA Systematic Review |
| Subjects: | T Technology > T Technology (General) T Technology > T Technology (General) > T10.5 Communication of technical information |
| Kulliyyahs/Centres/Divisions/Institutes (Can select more than one option. Press CONTROL button): | Kulliyyah of Information and Communication Technology > Department of Information System Kulliyyah of Information and Communication Technology > Department of Information System |
| Depositing User: | DR MUHAMMAD ASYRAF RODZOAN |
| Date Deposited: | 09 Jul 2026 15:06 |
| Last Update: | 09 Jul 2026 15:06 |
| Queue Number: | 2026-06-Q3901 |
| URI: | http://irep.iium.edu.my/id/eprint/129698 |
Actions (login required)
![]() |
View Item |
