Towards Integration of Security and Safety Measures for Critical Infrastructures Based on Bayesian Networks and Graph Theory: A Systematic Literature Review

: In recent times, security and safety are, at least, conducted in safety-sensitive or critical sectors. Nevertheless, both processes do not commonly analyze the impact of security risks on safety. Several scholars are focused on integrating safety and security risk assessments, using different methodologies and tools in critical infrastructures (CIs). Bayesian networks (BN) and graph theory (GT) have received much attention from academia and industries to incorporate security and safety features for different CI applications. Hence, this study aims to conduct a systematic literature review (SLR) for co-engineering safety and security using BN or GT. In this SLR, the preferred reporting items for systematic reviews and meta-analyses recommendations (PRISMA) are followed. Initially, 2295 records (acquired between 2011 and 2020) were identiﬁed for screening purposes. Later on, 240 articles were processed to check eligibility criteria. Overall, this study includes 64 papers, after examining the pre-deﬁned criteria and guidelines. Further, the included studies were compared, regarding the number of required nodes for system development, applied data sources, research outcomes, threat actors, performance veriﬁcation mechanisms, implementation scenarios, applicability and functionality, application sectors, advantages, and disadvantages for combining safety, and security measures, based on GT and BN. The ﬁndings of this SLR suggest that BN and GT are used widely for risk and failure management in several domains. The highly focused sectors include studies of the maritime industry (14%), vehicle transportation (13%), railway (13%), nuclear (6%), chemical industry (6%), gas and pipelines (5%), smart grid (5%), network security (5%), air transportation (3%), public sector (3%), and cyber-physical systems (3%). It is also observed that 80% of the included studies use BN models to incorporate safety and security concerns, whereas 15% and 5% for GT approaches and joint GT and BN methodologies, respectively. Additionally, 31% of identiﬁed studies veriﬁed that the developed approaches used real-time implementation, whereas simulation or preliminary analysis were presented for the remaining methods. Finally, the main research limitations, concluding remarks and future research directions, are presented


Introduction
In recent times, the growth of the internet of things (IoT) and information communication technologies (ICT) have revolutionized the modern era and critical infrastructures (CIs), including smart manufacturing, healthcare, energy sector, education, and maritime transportation, among others [1,2]. On the one hand, modern communication and electronic technologies have provided many facilities to individuals and nations in different CIs. On the other hand, safeguarding security and safety are essential requirements to offer authenticated operations against possible cyber threats and crises within the respective CIs [3]. Generally, the security mechanisms focus on recognizing and managing risks interrelated with accessibility, privacy, and integrity of devices in CIs. However, safety approaches are inclined to predict, classify, and resolve the vulnerabilities linked with the safety of humans, systems, and infrastructures. Therefore, integrating both aspects can help identify potential vulnerabilities and threats and the evaluate probable risks associated with the security and safety of CIs.
The incorporation of security and safety aspects has received massive attention worldwide [4,5]. Recent research shows that safety, especially cybersecurity, share interdependencies in many products, especially cyber-physical systems (CPS) [6]. Besides safety regulations interfering in possible security solutions, a fundamental problem is the rising number of cybersecurity threats that negatively impact the affected functional safety and reliability of systems [7]. In safety-sensitive environments, such as the in railway, aircraft, or automotive industries, the consideration of security is widespread [8]. Decision-makers must determine whether the identified issue is due to an attack or technical failure. A precise diagnosis is crucial for an effective response to identified problems. For example, fixing or exchanging the module responsible for the observed issue could be a reasonable response tactic for a technical failure. Simultaneously, blocking an attack vector, utilizing an identified adversary-caused problem, might be an efficient response monitoring strategy.
If the decision-makers can calculate that the apparent problem is an attack, the efficient response policies to resist each attack vector would be dissimilar. For example, the operative response approach for an information manipulation threat on the device could acquire data integrity checks. In contrast, the active response approach against the physical tampering of the device would augment access control. Remarkably, the decision supporting the regulation of the utmost probable root cause for evident problems is not available. In these conditions, Bayesian networks (BNs) could be helpful to solve this problem, mainly cybersecurity and safety applications [4][5][6][7]. In BNs, both qualitative and quantitative components are included, such as the directed acyclic graph (DAG) and conditional probability table (CPT), for each node in the DAG, respectively [8]. Furthermore, the graph theory (GT) and neutral network are also incorporated with the safety aspects of network security [9].
Some systematic literature reviews (SLRs) or literature reviews related to safety and security, based on BNs or GT, are available in the literature. Sharma et al. presented a systematic review of safety and security measures for machine learning-enabled agricultural applications. The focus of this study was BN approaches; however, GT was not addressed [10]. Gupta et al. performed a systematic review on blockchain-oriented security outbreak resilience systems for self-governing automobiles. The main limitations are that vehicle applications and their safety aspects are not considered [11]. Chockalingam et al. conducted SLR on 17 BN-based models for integrating cybersecurity and safety measures in different applications [12]. The main drawback of this SLR includes that it merely emphasized BN models; however, GT was not addressed. Lallie et al. reviewed the threat graphs and visual tree syntax-based GT mechanisms, which describe the cyber-attacks central theory, before elaborating on how vital components of a cyber-attack are characterized in attack graphs and outbreak trees. However, safety concerns are not addressed [13]. The main problem with the studies mentioned above is that the SLR or review, based on either GT or BN, ensures safety and security. Since GT and BN are practical approaches to analyzing safety and security risks, there is still a lack of SLR based on both these approaches.
This SLR aims to present current inclinations and advancements, as well as the limitations of incorporating safety and security using GT and BN. The chief contributions of this study are the following: (a) To identify records, using search queries from numerous databases, including Scopus, ACM, and the Web of Sciences, focusing on united safety and security using GT and BN models. (b) To perform a comprehensive comparative interpretation of classified approaches, regarding threat actors, performance verification mechanisms, the number of applied nodes for system development, and implementation scenarios, among others, for combining safety and security aspects using GT or BN methodologies. (c) To illustrate the research consequences of this SLR, based on pre-defined research questions (RQs). (d) To elaborate pros and cons, limitations, and future research directions of BN and GT approaches for integrating safety and security.
The organization of this paper is stated as follows: the background, to analyze security and safety risks for CIs using BN and GT approaches, is represented in Section 2. In Section 3, the research design, including research questions (RQs), search query, and pre-defined criteria of records, are demonstrated. In Section 4, the identified studies were compared in different aspects, such as application sectors, implementation criteria, applicability, etc. The discussion of RQs, based on included studies, as well as the limitations, are presented in Section 5. Finally, in Section 6, the concluding remarks and future research directions are represented.

Background
Incorporating safety and security has received great attention for different applications; a few unified approaches have been designed to evaluate both measures. Though security analysis is implemented in the overall design procedure, it is generally not combined into the safety analysis development [5,14]. Recently, the introduced approaches comprehended the significance of integrated safety and security analysis and intended to incorporate both into a joint methodological process. Two applicable techniques, which describe the integration of security into safety analysis, recommend a merging of fault tree analysis (FTA) with attack tree analysis (ATA) [14] or boolean driven Markov processes (BDMP) [15]. Other introduced approaches either combine safety and security methods, e.g., ATA and bowtie analysis [16], or integrate both fields. However, there are not any practical mechanisms to deal with safety and security integration in real-time applications. Moreover, BN-and GT-enabled approaches have received much attention worldwide, as a solution offering safety and security in several domains.

Bayesian Networks
The BN (referred to as belief networks) represents a hypothesis of rationalizing from uncertain evidence to uncertain conclusions, since it can perform the factorization of the collective distribution of variables, based on the conditional dependencies. BN is helpful in addressing uncertainty and incompleteness problems; thus, it is extensively applied in several domains. BN graphically depicts the logical associations between variables and recognizes the connections between these variables by conditional probabilities. By interpretation, a BN represents a directed acyclic graph (DAG), which encodes a conditional probability distribution. Nodes and arcs are vital components of BN, the nodes symbolize arbitrary variables and the arcs signify random relations between variables. There is a probability function for each state of the node, and conditional probabilities are used to exhibit the associations between variables.
BNs are probabilistic graphical models; these visual structures characterize the information about an uncertain system [17]. BNs are generally utilized for examining the hazards and vulnerabilities of networks, which are acyclic graphs that provide a quantitative and qualitative assessment of risks. Judea Pearl initially proposed the BN-based approach in 1985 and was usually utilized to distribute random information in AI. Owing to the unique functionality of BN for constructing the structures and algorithms, it is successfully used in e-commerce, transportation, data mining, energy control, etc. It is a DAG-based probability rationalization and appropriate for uncertainty representation of queries. BN must be a DAG and CPT (conditional probability table). BN has been demonstrated to be a powerful tool for solving several problems with uncertain knowledge illustration and reasoning [18][19][20]. The BN formula is represented in Equation (1): where P(. | .) stands for the conditional probability distribution. Suppose the sample space N of experiment L, "Y" is the random event of L. X 1 , X 2 , . . . , X n is the incompatible set of possibilities in experiment L, and "X j " represents the entire group event from (j = 1, 2, . . . , m). Figure 1 represents the three-variable examples of BN structure. A BN comprehends two types of nodes, i.e., the parent and child nodes. The parent node (cause) is at the start of any directed edge; the child node (fruit) is at the end. The directed edge specifies that the two nodes are interrelated. In Figure 1, X, Y are the two-parent nodes of Z. Z is the child nodes of X and Y. Prior probability: P(X) characterizes the probability of event X; P(Y) is the probability of event Y; P(Z|X, Y) is the probability that the event Z occurs before the condition that occurs at X and Y. The posterior probability, P(X|Z), P(Y|Z), and so on, can be obtained through the known prior probability.
it is successfully used in e-commerce, transportation, data mining, energy control, etc. It is a DAG-based probability rationalization and appropriate for uncertainty representation of queries. BN must be a DAG and CPT (conditional probability table).
BN has been demonstrated to be a powerful tool for solving several problems with uncertain knowledge illustration and reasoning [18][19][20]. The BN formula is represented in Equation (1): where P(. | .) stands for the conditional probability distribution. Suppose the sample space N of experiment L, "Y" is the random event of L. X1, X2, …, Xn is the incompatible set of possibilities in experiment L, and "Xj" represents the entire group event from (j = 1, 2, …, m). Figure 1 represents the three-variable examples of BN structure. A BN comprehends two types of nodes, i.e., the parent and child nodes. The parent node (cause) is at the start of any directed edge; the child node (fruit) is at the end. The directed edge specifies that the two nodes are interrelated. In Figure 1, X, Y are the two-parent nodes of Z. Z is the child nodes of X and Y. Prior probability: P(X) characterizes the probability of event X; P(Y) is the probability of event Y; P(Z|X, Y) is the probability that the event Z occurs before the condition that occurs at X and Y. The posterior probability, P(X|Z), P(Y|Z), and so on, can be obtained through the known prior probability. A node without a parent is known as a root node, and a node without children is termed as a leaf node. In BNs, nodes with links represent system variables demonstrating uncertain dependencies. Specifically, every node in the graph characterizes an arbitrary variable, whereas the ends between the nodes represent the dependencies of respective random variables [21]. Usually, statistical and computational techniques are used to calculate these provisional dependencies in the chart. Hereafter, BNs merges concepts from statistics, GT, and probability theory [22]; also, Bayesian probabilistic (BP) are used by considering probability as a mark of belief. The BP is less severe, concerning evidence, than the typically utilized probability methods. BN represents a combination of likelihood and GT; thus, it computes dependencies between several information or fact uncertainties [23]. FTA and ATA can be easily transferred to BN because it familiarizes the assemblies of various data, knowledge, functional associations, and approaches; also, it allows for conducting the extensively utilized interpretation for additional analysis [24][25][26][27]. In current studies of safety and security co-engineering methods, some factors are not A node without a parent is known as a root node, and a node without children is termed as a leaf node. In BNs, nodes with links represent system variables demonstrating uncertain dependencies. Specifically, every node in the graph characterizes an arbitrary variable, whereas the ends between the nodes represent the dependencies of respective random variables [21]. Usually, statistical and computational techniques are used to calculate these provisional dependencies in the chart. Hereafter, BNs merges concepts from statistics, GT, and probability theory [22]; also, Bayesian probabilistic (BP) are used by considering probability as a mark of belief. The BP is less severe, concerning evidence, than the typically utilized probability methods. BN represents a combination of likelihood and GT; thus, it computes dependencies between several information or fact uncertainties [23]. FTA and ATA can be easily transferred to BN because it familiarizes the assemblies of various data, knowledge, functional associations, and approaches; also, it allows for conducting the extensively utilized interpretation for additional analysis [24][25][26][27]. In current studies of safety and security co-engineering methods, some factors are not considered, such as parameter optimization and balancing; thus, BN-based techniques can solve these essential issues.

Graph Theory
CIs are a highly interrelated and interdependent system, comprising several components, services, and nodes containing crucial information. There are numerous threats and Signals 2021, 2 775 risks that may endanger critical data security and privacy in different CIs. After recognizing the CI risks, the next step for the CI safety and security evaluation is to offer an appropriate model for demonstrating the connection among potential risk sources. The GT model represents the study of mathematical structures applied to prototypical pairwise associations between entities, including nodes and points connected by edges or links. For GT analysis, graphs can be divided into various types, comprising of directed and undirected graphs and connected and disconnected charts, as well as weighted, bipartite, and simple graphs. GT analyzed the connectivity properties for susceptibility, trustworthiness, and risk analysis for several applications, i.e., vehicle networks using different graphs [28][29][30]. Moreover, topological properties enable techniques, flow-based approaches, and hybrid methods to analyze the reliability, hazards, and safety of systems [31].
There are several benefits of using the graphs model in different sectors. The first and foremost strength of GT is to describe the topological association between several nodes, connecting links between locations ( Figure 2). It helps review the connectivity and the degree distribution of every location in a topological space. Those notions are essential for examining the networks. In the case of a spatial network, the vector and geometric characteristics are incredibly beneficial. Vectors properties provide a directional links; for transportation modeling, this property is applied to model flows between locations. The usage of geometrics properties is to insert distance into the model, allowing spatializing the system in Euclidian space. Moreover, GT also offers a description of relations through the graph. Based on the path, i.e., a course among components into the graph, and cycle (a path with a similar origin and endpoint), these characteristics allow for the study of the relationships between various parts of the charts [32][33][34].

Research Design
This section presents the fundamental stages for designing this SLR. This study follows the recommendations of the preferred reporting items for systematic reviews and meta-analyses (PRISMA) statement [40]. This design is used to select the security and safety literature, based on BN and GT, to compare and analyze the included studies.

Search Querry Process and Research Questions
In this SLR, ScienceDirect, IEEE Xplore, Web of Sciences, Scopus, and ACM databases were included. Later, a query was asked from identified databases for integrating safety and security, based on Bayesian networks or graph theory (also a combination of both). The search query for this SLR is given below: ("security" AND "safety") AND ("bayesian network" OR "graph theory") The SLR is a series of associated arguments in support of the research questions (RQs). The RQs of this SLR is stated as follows: In existing studies, GT has been applied in protecting systems [35]. An undirected graph H = (U, F) represents a mathematical structure, comprising two sets, U and F, where U = {u 1 , u 2 , . . . , u m } defines the set of nodes. The set of edges is presented by F = {f 1 , f 2 , . . . , f n }. The undirected graph may be useful in presenting CIs or any other complex systems. Furthermore, each subsystem, such as oil and gas, power, and networks, can be exhibited by a subgraph. In GT, each component of the system represents a link, and the nodes are the connections between components, as per the topology of the network. Interdependencies among subsystems are modeled as definite links between end terminals of the two relevant components or subsystems. The CI graph model is supposed to have m nodes and n connections [36].
GT has become a critical component in various computing applications, such as CI security and network development. However, it is also among the most challenging areas to comprehend and apply for protecting networks, as well as infrastructures. Chung and Lu discussed GT and its real-time implementation in different threat and vulnerability analyses [37]. Ahmat et al. discussed the optimization problems associated with GT and its security applications, using GT concepts to characterize various networks, assess network protocols for multiple scenarios in networking and security, and tools used to generate graphs for demonstrating real-world systems [38]. Shirinivas et al. demonstrated GT's applicability in heterogeneous fields but primarily focused on technical applications that utilize theoretical graph notions [39].

Research Design
This section presents the fundamental stages for designing this SLR. This study follows the recommendations of the preferred reporting items for systematic reviews and metaanalyses (PRISMA) statement [40]. This design is used to select the security and safety literature, based on BN and GT, to compare and analyze the included studies.

Search Querry Process and Research Questions
In this SLR, ScienceDirect, IEEE Xplore, Web of Sciences, Scopus, and ACM databases were included. Later, a query was asked from identified databases for integrating safety and security, based on Bayesian networks or graph theory (also a combination of both). The search query for this SLR is given below: ("security" AND "safety") AND ("bayesian network" OR "graph theory") The SLR is a series of associated arguments in support of the research questions (RQs). The RQs of this SLR is stated as follows:

1.
Why is the integration of security and safety needed? 2.
How have BN-and GT-based methodologies been utilized for security and safety studies in CI? 3.
What have been the targeted application domains? 4.
What solutions have been developed in the identified studies? 5.
How is performance validated for developed techniques and algorithmic solutions? 6.
What are the advantages and disadvantages of existing studies?

Exclusion and Inclusion Criteria
This study applies the web application Rayyan QCRI to eliminate duplicate records from different databases and estimate the eligibility of recognized records [41]. Moreover, in this SLR, we used the following exclusion criteria (EC): (a) Studies that are not focused on the integration of safety and security, based on Bayesian networks or graph theory (also a combination of both). (b) Studies that merely provide background about the integration of both measures. (c) Studies that do not develop or design a novel method/approach/model/tool.
In this SLR, we followed specific inclusion criteria for considering studies to be included for analysis. The inclusion steps for this SLR are stated as below: (a) Published in a conference or journal classified in the identified databases. (b) The records are identified from January 2011 to September 2020. (c) Developed a tool or technique for integrating safety and security measures using Bayesian Networks or Graph Theory (also a combination of both approaches).

Results
This section discusses BN and GT approaches for security and safety to recognize the significant patterns and findings in applying different applications. Moreover, this study analyzes the identified studies, based on organization and classification, citation index, applied data source, number of used nodes, application, application sector, threat actor, functionality, implementation scenarios, and validation methodologies.

Organization and Classification of Included Studies
In this study, at the initial stage, 2295 records were identified during the search process, including ScienceDirect (n = 1610), Scopus (n = 213), ACM (n = 205), IEEE Xplore (n = 193), and Web of Science (n = 74). Later, 2093 unique records were recognized, after deleting the duplicate records by applying the screening tool. The title and abstract review recommend that 1853 records be excluded by following the exclusion and inclusion criteria, as elaborated on in Section 3.2. From examining the full-text articles of 240 records, based on the eligibility check process stated in Section 3, 176 were excluded. Merely, 64 papers have discussed the security and safety integration for different CI applications based on BN and GT and can be considered to perform comparative analysis in this SLR . Figure 3 presents a flowchart of the multiple record processing stages in this SLR.  The details of the included papers, including study year, number of used references, and category are shown in Table 1. Figure 4 demonstrates that the journal and conference proceedings are 61% and 39% of total articles, respectively.

Included Studies Based on GT and BN for Safty and Security
In recent times, security and safety problems are rapidly converging on different applications, leading to conditions where these closely associated measures that need to 39% 61%

Classification of Included Articles
Conference Journal

Included Studies Based on GT and BN for Safty and Security
In recent times, security and safety problems are rapidly converging on different applications, leading to conditions where these closely associated measures that need to be integrated, instead of applied discretely or categorized. Several scholars have developed innovative methodologies to solve risk analysis and evaluation from safety, security, and united security risk management. Table 2 includes existing techniques, based on BN and GT, to resolve safety and security concerns and their respective application sectors.

Study Application Sector Technique Description
Jinsoo et al. [96] Nuclear BN To establish a risk investigation approach for instrumentation and control (I and C) for identifying mitigating vulnerabilities.
Stefan et al. [97] Vehicle Transportation GT Three graph-based protocols were developed, by means of wide-ranging simulations, to detect insider threats.
Jingjing et al. [98] Railways BN To propose an approach to meet the necessities of accuracy in high safety for the train control system for a fault diagnosis system.
John et al. [99] Air Transportation GT Development of method using game theory and GT concepts and graph theory for security risk mitigation.
Heung et al. [100] Nuclear BN This study analytically modeled management approach, which offers the progress of safety-critical software.

Citation Index of Included Studies
In this SLR, the citation index is adapted to evaluate the research quality of each included technique, i.e., BN or GT or unified BN and GT. The citation index represents the number of citations of the included studies as per Google Scholar, accessed on 20th November 2020, as revealed in Table 3. The most extensive cited studies were 139 citations for Shuliang et al. [103], 76 citations are Jinsoo et al. [82], and 60 citations for Huai et al. [68], which are published in 2012, 2015, and 2017, respectively. Whereas the following studies have not received any citations: Tai-hua et al. [46], Xiaoxue et al. [48], and Xin et al. [49] (published in 2020), Sabarathinam et al. [56], Xiqiang et al. [62], and Jamal et al. [63] (published in 2019), Zhao et al. [76] (published in 2016), Jiali et al. [90], and Zeng Xianfeng [93] (published in 2014), and Mo Ming [102] (published in 2012).   However, the record number of included articles per year is reported in Figure 5, which demonstrates the research trend of applying GT and BN to implement safety and security, based on the included studies. The analysis suggests that scholars have been publishing more articles, addressing united safety and security aspects, in the last two years. From 2019 and 2020, 13 (9 BN, 1 GT, 1GT, and BN), and 9 (8 BN, 1 BN, and GT) papers are included in this SLR, respectively.

Data Sources and Number of Nodes Used to Construct BN/GT
The BN and GT play a significant role in predicting and unintentionally diagnosing failures and targeted risks by using numerous tools and models, based on the information collected from the system expert's knowledge (EK) and/or from empirical data (ED). EK represents the opinions collected by interviewing the system or domain expert, and ED is the historical or experimental data gathered by real-time scenarios or the literature [50][51][52][53][54]. It is revealed in existing studies that a reliable strategy can be attained for the developed model by applying collective EK and ED. Figure 6 demonstrates that 26 out of 64 of the included studies used only ED to developed BN or GT approaches. Whereas 16 out of 64 applied EK and 26 out of 64 of included studies that utilized both ED and EK to develop GT-or BN-enabled models. It is observed that 3 out of 64 of the included studies were based on integrating GT and BN for addressing united security and safety measures, and these studies employed ED analysis for the system development. Though 10 out of 64 included studies were based on GT, in which 7 uses ED, 2 applies EK, and 1 utilizes both. Besides, BN models are applied in 51 out of 64 studies, which categorize as EK (14), ED (16), and collective EK and ED (21). Several nodes are linked together to represent BN or GT enabled systems for assessing risks and vulnerabilities in different applications. Moreover, the quantity of nodes can be utilized to represent the model complexity of the system. A large number of nodes may reflect the incapacitated association between input and output nodes by introducing in-between layers between source and destination. Chockalingam et al. [106] stated that it is suggested to have a total number of nodes in BN models less than 40. In this SLR, it is observed that 43 out of 51 BN-based model have used less than 40 nodes. However, the remaining eight have used equal or more than 40, including Xiaoyan et al. [65], Song et al. [104], Zhiqiang et al. [70], Xiqiang et al. [85], Barry et al. [54], Jiali et al. [90], Remya et al. [78], and Jinsoo et al. [82], 40, 45, 47, 47, 51, 58, 60, and 64, respectively. However, all models that utilized GT and BN simultaneously have used less than 40 nodes in the developed system. Moreover, it is also noticed that 2 out of 10 GT-based approaches have utilized more than 40 nodes comprising Huai et al. [68] and Shuliang et al. [103], 53 and 182, respectively. Whereas, remaining 8 included studies of GT employ less than 40 nodes.

Applicability, Threat Actor, and Implementation Criteria
The characteristic applicability is used to comprehend the type of evaluation that is acquired from the developed methodologies. In this SLR, it is observed that 37 out of 64 studies ensure risk management in the proposed system for identifying, analyzing, evaluating, and treating loss exposures, as well as monitoring risk control and financial resources, to mitigate the adverse effects of loss. There are three main stages: identifying, assessing, and evaluating risk. The procedure for assessing risk is the main element in the risk management process. Generally, there are two sorts of risk assessment approaches, including quantitative and qualitative strategies. The qualitative assessment techniques primarily rely on proficient knowledge and attention for revealing the risks. In contrast, the quantitative assessment methods can compute the risk value of the system and emphasize the system's quantitative performance under the risks.
In general, the quantitative methods are chosen to conduct risk analysis and assessment, owing to the accurate explanations of system risks that can optimize the distribution of protected resources. Whereas 10 out of 64 perform the task of vulnerability assessment for evaluating whether the network is vulnerable to any identified Several nodes are linked together to represent BN or GT enabled systems for assessing risks and vulnerabilities in different applications. Moreover, the quantity of nodes can be utilized to represent the model complexity of the system. A large number of nodes may reflect the incapacitated association between input and output nodes by introducing in-between layers between source and destination. Chockalingam et al. [106] stated that it is suggested to have a total number of nodes in BN models less than 40. In this SLR, it is observed that 43 out of 51 BN-based model have used less than 40 nodes. However, the remaining eight have used equal or more than 40, including Xiaoyan et al. [65], Song et al. [104], Zhiqiang et al. [70], Xiqiang et al. [85], Barry et al. [54], Jiali et al. [90], Remya et al. [78], and Jinsoo et al. [82], 40, 45, 47, 47, 51, 58, 60, and 64, respectively. However, all models that utilized GT and BN simultaneously have used less than 40 nodes in the developed system. Moreover, it is also noticed that 2 out of 10 GT-based approaches have utilized more than 40 nodes comprising Huai et al. [68] and Shuliang et al. [103], 53 and 182, respectively. Whereas, remaining 8 included studies of GT employ less than 40 nodes.

Applicability, Threat Actor, and Implementation Criteria
The characteristic applicability is used to comprehend the type of evaluation that is acquired from the developed methodologies. In this SLR, it is observed that 37 out of 64 studies ensure risk management in the proposed system for identifying, analyzing, evaluating, and treating loss exposures, as well as monitoring risk control and financial resources, to mitigate the adverse effects of loss. There are three main stages: identifying, assessing, and evaluating risk. The procedure for assessing risk is the main element in the risk management process. Generally, there are two sorts of risk assessment approaches, including quantitative and qualitative strategies. The qualitative assessment techniques primarily rely on proficient knowledge and attention for revealing the risks. In contrast, the quantitative assessment methods can compute the risk value of the system and emphasize the system's quantitative performance under the risks.
In general, the quantitative methods are chosen to conduct risk analysis and assessment, owing to the accurate explanations of system risks that can optimize the distribution of protected resources. Whereas 10 out of 64 perform the task of vulnerability assessment for evaluating whether the network is vulnerable to any identified vulnerabilities, allocates severity levels to those susceptibilities, and recommends remediation or mitigation, if and whenever required. Moreover, 3 out of 64, 2 out of 64, and 2 out of 64 perform attack analysis, fault analysis, and safety assessment, respectively. Besides, 10 out 64 studies perform distinct functionalities, comprising of Lipeng et al. [43], Niamat et al. [51], Alexandre et al. [55], Sabarathinam et al. [56], Mario C et al. [58], Elvin et al. [64], Subhojeet et al. [67], Huai et al. [68], Sher et al. [91], and TIAN et al. [94], holistic event investigation, resilience quantification, cyber impact assessment, root cause analysis, intrusion detection, trust computation, anomaly detection, reliability assessment, software verification, and water traffic management, respectively.
In this SLR, the threat actor is used to identifying that the included studies help prevent the attack. It is observed that the threat actor is classified into two types, such as external and internal. It is observed from Figure 7 that 7 out of 64 and 2 out of 64 studies have mentioned that the developed methodology is applicable against external and internal threats, respectively. Moreover, 2 out 64 developed approaches help prevent both internal and external threats. However, the remaining 53 included articles have not specified any particular kind of threat but rather concentrated on warnings and alarms, which may be suitable for various possible threats.
Signals 2021, 2 FOR PEER REVIEW 16 Besides, 10 out 64 studies perform distinct functionalities, comprising of Lipeng et al. [43], Niamat et al. [51], Alexandre et al. [55], Sabarathinam et al. [56], Mario C et al. [58], Elvin et al. [64], Subhojeet et al. [67], Huai et al. [68], Sher et al. [91], and TIAN et al. [94], holistic event investigation, resilience quantification, cyber impact assessment, root cause analysis, intrusion detection, trust computation, anomaly detection, reliability assessment, software verification, and water traffic management, respectively. In this SLR, the threat actor is used to identifying that the included studies help prevent the attack. It is observed that the threat actor is classified into two types, such as external and internal. It is observed from Figure 7 that 7 out of 64 and 2 out of 64 studies have mentioned that the developed methodology is applicable against external and internal threats, respectively. Moreover, 2 out 64 developed approaches help prevent both internal and external threats. However, the remaining 53 included articles have not specified any particular kind of threat but rather concentrated on warnings and alarms, which may be suitable for various possible threats.
Implementing GT-or BN-based models is vital to measure network performance, transform strategic plans to monitor failures and risks in the system, and apply the necessary actions to achieve integrated safety and security for different applications. During the review process, it is observed that GT-or BN-based development scenarios are an association of nodes, modules, and the implementation subsystems. This SLR suggests that 42%, 31%, and 27% of the included studies performed simulated, real-time, and preliminary analysis, respectively, as shown in Table 4.

Threat Actor in Included Studies
Not Reported External Internal External/Internal Implementing GT-or BN-based models is vital to measure network performance, transform strategic plans to monitor failures and risks in the system, and apply the necessary actions to achieve integrated safety and security for different applications. During the review process, it is observed that GT-or BN-based development scenarios are an association of nodes, modules, and the implementation subsystems. This SLR suggests that 42%, 31%, and 27% of the included studies performed simulated, real-time, and preliminary analysis, respectively, as shown in Table 4. Table 4. Threat Actor and Implementation Criteria of Included Studies.

Discussion
This section includes answers based on comparative analysis of included articles to find solutions for given RQs in Section 2.

Why Is the Integration of Security and Safety Needed?
In recent times, computer networks have been widely applied in several applications; any failure in these systems could have critical outcomes. There are various hypotheses about the characteristics such crucial systems must maintain, and the methods employed to protect them. Two such attributes are security and safety. Nevertheless, modern designs are usually needed to meet these two attributes simultaneously. Considering safety and security, common goals are needed to protect peoples or systems; therefore, safety-critical assets are considered.
Martin et al. [81] stated that the marine industry is a critical sector, and it is essential to combine safety and security concerns on the sea. The integration of two aspects concentrates on analyzing the energy supply vulnerabilities and introduces a methodology to evaluate the system's exposure using the spatial composition of maritime regions. This study contributes a GT-based model for offering safety and security in a maritime territory. Indeed, the developed model utilizes links, such as roads and ports, as nodes. Matti et al. [84] demonstrate the significance of public safety and security (PSS) in mobile networks. In this study, a risk evaluation model, using BN, is proposed for the current PSS telecommunication services.

How Have Bayesian Network-and Graph Theory-Based Methodologies Been Utilized for Security and Safety Studies in CI?
This RQ assists in knowing which models are used for safety and security integration, functionalities, and applicability. In this SLR, it is observed that 80%, 15%, and 5% of the included studies use BN and GT, as well as both GT and BN, respectively, as shown in Figure 8.

Discussion
This section includes answers based on comparative analysis of included articles to find solutions for given RQs in Section 2.

Why Is the Integration of Security and Safety Needed?
In recent times, computer networks have been widely applied in several applications; any failure in these systems could have critical outcomes. There are various hypotheses about the characteristics such crucial systems must maintain, and the methods employed to protect them. Two such attributes are security and safety. Nevertheless, modern designs are usually needed to meet these two attributes simultaneously. Considering safety and security, common goals are needed to protect peoples or systems; therefore, safety-critical assets are considered.
Martin et al. [81] stated that the marine industry is a critical sector, and it is essential to combine safety and security concerns on the sea. The integration of two aspects concentrates on analyzing the energy supply vulnerabilities and introduces a methodology to evaluate the system's exposure using the spatial composition of maritime regions. This study contributes a GT-based model for offering safety and security in a maritime territory. Indeed, the developed model utilizes links, such as roads and ports, as nodes. Matti et al. [84] demonstrate the significance of public safety and security (PSS) in mobile networks. In this study, a risk evaluation model, using BN, is proposed for the current PSS telecommunication services.

How Have Bayesian Network-and Graph Theory-Based Methodologies Been Utilized for Security and Safety Studies in CI?
This RQ assists in knowing which models are used for safety and security integration, functionalities, and applicability. In this SLR, it is observed that 80%, 15%, and 5% of the included studies use BN and GT, as well as both GT and BN, respectively, as shown in Figure 8. From Figure 9, it is observed that the developed models based on BN or GT in included studies were utilized to have two sorts of purposes, including diagnosis and prediction. The term diagnosis represents identifying the nature or cause of the incidents or other risks in the systems. In contrast, the prediction is associated with forecasting potential cyber threats in the respective CIs. This study identifies that 48% of approaches perform a diagnosis of the risks in different applications. However, 36% and 16% of papers ensure performance prediction and both prediction and diagnosis, respectively. From Figure 9, it is observed that the developed models based on BN or GT in included studies were utilized to have two sorts of purposes, including diagnosis and prediction. The term diagnosis represents identifying the nature or cause of the incidents or other risks in the systems. In contrast, the prediction is associated with forecasting potential cyber threats in the respective CIs. This study identifies that 48% of approaches perform a diagnosis of the risks in different applications. However, 36% and 16% of papers ensure performance prediction and both prediction and diagnosis, respectively. Signals 2021, 2 FOR PEER REVIEW 19 Figure 9. Functionality of included studies.
However, the applicability of included studies is demonstrated in Figure 10. The key applicability area for integrating safety and security using GT or BN is risk assessment (60%) of included studies. It is observed that vulnerability assessment, attack analysis, safety analysis, and fault analysis are 16%, 5%, 3%, and 3%, respectively. Moreover, the applicability of approximately 1% of total studies is in holistic event investigation, resilience quantification, cyber impact assessment, root cause analysis, intrusion detection, trust computation, anomaly detection, reliability assessment, software verification, and water traffic management.  Figure 11 demonstrates the application sectors of BN and GT models for jointly monitoring safety and security events. The key sectors are the maritime (14%), vehicle However, the applicability of included studies is demonstrated in Figure 10. The key applicability area for integrating safety and security using GT or BN is risk assessment (60%) of included studies. It is observed that vulnerability assessment, attack analysis, safety analysis, and fault analysis are 16%, 5%, 3%, and 3%, respectively. Moreover, the applicability of approximately 1% of total studies is in holistic event investigation, resilience quantification, cyber impact assessment, root cause analysis, intrusion detection, trust computation, anomaly detection, reliability assessment, software verification, and water traffic management. However, the applicability of included studies is demonstrated in Figure 10. The key applicability area for integrating safety and security using GT or BN is risk assessment (60%) of included studies. It is observed that vulnerability assessment, attack analysis, safety analysis, and fault analysis are 16%, 5%, 3%, and 3%, respectively. Moreover, the applicability of approximately 1% of total studies is in holistic event investigation, resilience quantification, cyber impact assessment, root cause analysis, intrusion detection, trust computation, anomaly detection, reliability assessment, software verification, and water traffic management.  Figure 11 demonstrates the application sectors of BN and GT models for jointly monitoring safety and security events. The key sectors are the maritime (14%), vehicle  Figure 11 demonstrates the application sectors of BN and GT models for jointly monitoring safety and security events. The key sectors are the maritime (14%), vehicle transportation (13%), railway (13%), nuclear (6%), chemical (6%), gas and pipelines (5%), smart grid (5%), network security (5%), air transportation (3%), public sector (3%), and CPS (3%) industries. The other preferred application sectors were software (2%), water traffic system (2%), ICS (2%), education (2%), UAV (2%), complex systems (2%), oil wharf handling (2%), process plant (2%), socio-technical systems (2%), SoS (2%), navigation environment (2%), petroleum plants (2%), mobile networks (2%), cognitive radio networks (2%), Asian games (2%), and medical (2%).

What Solutions Have Been Developed in the Identified Studies?
This RQ aims to provide insight into the existing solutions, based on GT or BN, for integrating security and safety. The research outcomes of the included studies were shown in Table 5. It has been observed that 60% of the included studies have focused on risk assessment and monitoring. Meizhi et al. [44] presented a statistical evaluation of risks to achieve valuable insights into ports protection and build the fundamental BN approach. A dynamic model was introduced, using expert judgment and historical data to evaluate the emergency risk of sea lanes. André et al. [105] focused on protecting ventricular assist devices (VAD)-related risks that have great significance for patient safety, having customized VAD, regarding patients' intensity of sickness and metabolism. Moreover, safety-oriented guidelines are introduced, which also plays an indispensable role in decreasing risk reduction.

What Solutions Have Been Developed in the Identified Studies?
This RQ aims to provide insight into the existing solutions, based on GT or BN, for integrating security and safety. The research outcomes of the included studies were shown in Table 5. It has been observed that 60% of the included studies have focused on risk assessment and monitoring. Meizhi et al. [44] presented a statistical evaluation of risks to achieve valuable insights into ports protection and build the fundamental BN approach. A dynamic model was introduced, using expert judgment and historical data to evaluate the emergency risk of sea lanes. André et al. [105] focused on protecting ventricular assist devices (VAD)-related risks that have great significance for patient safety, having customized VAD, regarding patients' intensity of sickness and metabolism. Moreover, safety-oriented guidelines are introduced, which also plays an indispensable role in decreasing risk reduction.  Validation approaches are essential for BN or GT methods, in order to analyze the performance of developed methodologies. In this SLR, it is observed that 56 out of 64 studies were validated by different mechanisms, and the remaining 8 studies have not reported the validation process, as shown in Figure 12. Sensitivity analyses (20% of included studies) perform a critical function in estimating the robustness of the outcomes on the principal analyses of the developed approaches. It is an important measure to evaluate the influence or impact of key hypotheses or variations on the specific infrastructure, including different analysis methods, protocol variations, outliers, definitions of results, and missing data, among others [48][49][50][51][52]. Another important aspect for validating the proposed technique is comparative analysis (20% of included studies), in which the outcomes of distinct models with different assumptions are compared with the developed approaches [79,80]. The other validation mechanisms recognized in the included studies were expert evaluation, scenarios development, statistical analysis, empirical analysis, reachability graph, diagnostic analysis, checklists, cross-validation, and minimax analysis, 16%, 12%, 8%, 3%, 2%, 2%, 2%, 2%, and 2%, respectively.
Signals 2021, 2 FOR PEER REVIEW 22 reported the validation process, as shown in Figure 12. Sensitivity analyses (20% of included studies) perform a critical function in estimating the robustness of the outcomes on the principal analyses of the developed approaches. It is an important measure to evaluate the influence or impact of key hypotheses or variations on the specific infrastructure, including different analysis methods, protocol variations, outliers, definitions of results, and missing data, among others [48][49][50][51][52]. Another important aspect for validating the proposed technique is comparative analysis (20% of included studies), in which the outcomes of distinct models with different assumptions are compared with the developed approaches [79,80]. The other validation mechanisms recognized in the included studies were expert evaluation, scenarios development, statistical analysis, empirical analysis, reachability graph, diagnostic analysis, checklists, cross-validation, and minimax analysis, 16%, 12%, 8%, 3%, 2%, 2%, 2%, 2%, and 2%, respectively.

What Are the Advantages and Disadvantages of Existing Studies?
As elaborated in the included studies, the incorporation of safety and security measures based on GT and BN can benefit different CIs. Although there are certain shortcomings with the developed solutions, the advantages and disadvantages of existing BN or GT methods are discussed in this section, as shown in Table 6.

What Are the Advantages and Disadvantages of Existing Studies?
As elaborated in the included studies, the incorporation of safety and security measures based on GT and BN can benefit different CIs. Although there are certain shortcomings with the developed solutions, the advantages and disadvantages of existing BN or GT methods are discussed in this section, as shown in Table 6. Table 6. Pros and cons of included studies.

Study Pros Cons
Xiaorong et al. [42] Offers a feasible solution for risk assessment in CPS, the feasibility is verified based on two event scenarios.
Lacks in presenting the finished model of the research.
Lipeng et al. [43] The key benefit of the proposed model is that its applicability is checked in multiple scenarios.
The process consumes a lot of time, thus restricting the model's application up to few only.
Meizhi et al. [44] Utilization of vast dataset. The use case areas are fixed.
Raditya et al. [45] This study is useful in offering real-time risk management options to mitigate cyber threats.
This study has not provided conclusive data, as it was an early study.
Tai-hua et al. [46] Potential to be applied for Chinese enterprises in presenting efficient anomaly prevention and response policies.
It is specified for Chinese enterprises for a Chinese problem. Readjustment is needed if used in other places.
Mingjing et al. [47] Efficient in enhancing security in urban express logistics and avoiding safety hazards.
Merely a prototype is proposed.
Xiaoxue et al. [48] The authors recommended low vulnerable and improved resilient perspective for the northern sea route.
Resilience level needs improvement.
Xin et al. [49] Improves evaluation accuracy and reduces estimation error for the educational sector.
It has a limited use case to demonstrate its developed method.
Meizhi et al. [50] Various significant influencing factors for maritime piracy are identified, and the applicability is authenticated using sensitivity analysis.
Feasibility issues, due to limited data.
Niamat et al. [51] The capability of framework to be applied for different sectors.
This study does not offer decision-theoretic troubleshooting.
Moreover, the framework is still preliminary.
Chengpeng et al. [52] Offers efficient and flexible risk management for real circumstances.
It is limited up to only operational aspects. In contrast, complete analysis is not focused on this tool.
Yi et al. [53] More accuracy in the navigation risk of ships in the bridge area in distinct conditions. This research is validated based on a specific use case.
Barry et al. [54] High prediction accuracy (nearly 100%) of the qualitative and quantitative risk factors. It is used for specific sectors only.
Alexandre et al. [55] Efficient in demonstrating cyber impacts in whole systems based on invaders and defenders' plans, without knowing the hard-to-assess attacker's activities.
Limited scenarios and tested situations.
Sabarathinam et al. [56] To assist in determining the root cause of risks within the systems. The results are based on simulations.
Seyedmohsen et al. [57] Both qualitative and quantitative factors are used with rigorous testing.
Perhaps overspecialized. Only to be used in its sector.
Mario et al. [58] The accuracy of the developed model is reasonably optimal.
Lacking in measuring efficiency in real-time scenarios.
Chao et al. [59] Ability to decrease the risk of intended attacks by continuous monitoring Allocation optimization is not considered.

Study Pros Cons
Nima et al. [60] A cost-efficient solution for vulnerability assessment.
Limited to restricted sectors.
Hui et al. [61] Offers practical recommendations for establishing countermeasures in diminishing risk events in railway.
A risk mitigation strategy is not presented.
Xiqiang et al. [62] Efficient in diagnosing of main factors, which may put threats to rail transport. Threat actors are not specified.
Jamal et al. [63] High efficiency in autonomous quarry mitigation associated with signal interference.
Cannot protect from all high impact attacks.
Elvin et al. [64] Improved malicious detection in vehicular networks, due to inclusion of perception and reasoning in the decision building process.
Results are still preliminary.
Xiaoyan et al. [65] Continuous evaluation of possible incident frequencies and outcomes by providing unique risk awareness.
Conditional probability tables are not presented.
Ying et al. [66] The casual diagnostic analysis in complex and uncertain environments. More accurate than fault tree analysis.
Complex data collection process, an automatic technology for collecting required information, is not considered.
Subhojeet et al. [67] Capability to recognize malicious threats and differentiate them from safety-critical activities.
The developed model is still preliminary.
Huai et al. [68] Failure analysis from different prospects, such as topology, functional restriction, environmental, and dynamic.
There needs an improvement for analyzing network measurements and results of unit failures.
Gabriele et al. [69] Accurate quantitative estimation of attack success probability and for the classification of the more hazardous escalation situations.
Lacks in performing a quantitative evaluation of the credibility of attack success.
Zhiqiang et al. [70] An efficient quantitative risk assessment for finding security weaknesses.
The results need to be verified based on real-time scenarios.
Jinsoo et al. [71] A generic approach toward monitoring and mitigating security and safety risks.
This study is conducted for a specific sector.
Donya et al. [72] This study efficiently resolves uncertainties in the failure probability of elements and the temporal classification of occurrences.
The developed model is still preliminary.
Xianyou et al. [73] Using multiple BN models to accurately assess vulnerabilities. The developed model is still preliminary.
Galizia et al. [74] New recommendations for resilience in socio-technical systems. Lacks in presenting real-time analysis.
Francesca et al. [75] A systematic procedure for vulnerability assessment against outside threats.
Insider threats are not considered in this study.
Zhao et al. [76] An experiential analysis that effectively exhibits the safety status for the navigation environment.
Threats are not specified.
Mark et al. [77] Increase awareness in vulnerability management for the chemical industry.
This study is conducted for a specific sector.
This study does not robustly manage unexpected and unmodeled failures.
Xin Chen [79] Efficiently evaluate vulnerabilities and crucial devices of the system.
The simulation results still need to be modified.

Study Pros Cons
Mark et al. [80] Efforts in delivering awareness to society for the development of databases about associated security failures.
The developed methodology is still preliminary.
Martin et al. [81] The accuracy of the developed model is reasonably well in comparing existing approaches.
The developed model is still preliminary.
Jinsoo et al. [82] An efficient mitigation measures for real-time analysis of risks in the nuclear sector.
The proposed research affects BN accuracy.
Marco et al. [83] Results verified for combined attacks with mutual and non-trivial influences.
Limited to only one case study.
Matti et al. [84] This research is helpful in documenting the expert knowledge.
Real-time traffic monitoring control has not been performed.
Xiqiang et al. [85] Applicability in emergency cases with high accuracy.
Specific for the case study. Challenging implementing in other fields.
The results are only preliminary. Testing on the different scenarios is needed.
Kairan et al. [87] A security assessment is verified using a use case study.
The results are only preliminary.
Amal et al. [88] BN implementation improves the Sargos system with is inherent abilities.
A specific approach is developed for the maritime industry; a lot of modifications are needed for use in other sectors.
Guannan et al. [89] A dynamic and optimal risk assessment for the software industry.
The simulation results still need to be modified.
Jiali et al. [90] Increases accuracy for risk assessment in the maritime industry.
Lacks in empirical data for circumstantial results.
Sher et al. [91] Offers support mobility, protection, and concurrency for software verification. Threat actors are not specified.
LONG et al. [92] Offer recommendations for the designing and implementing of the energy sector to decrease the potential risks.
Specific use cases are hard to emulate outside of the sector or system. Zeng Xianfeng [93] Presented reliable dataset for research purposes in the railway sector. Lack of practicality in railways.
TIAN et al. [94] More robust solution for the water traffic system.
The human factor is not considered in real-time monitoring and is lacking for managing adequate personnel.
William et al. [95] Applicable for both known and unknown vulnerabilities. Limited applicability domains.
Jinsoo et al. [96] This study assists in identifying fundamental factors that may pose cybersecurity hazards.
The simulation results still need to be modified.
Stefan et al. [97] Reduces communication redundancies and enables data uniformity inspection in transportation.
Limited usability.
Jingjing et al. [98] Improved accuracy and effective use of train control system.
Merely a preliminary analysis for the high-speed railway.
John et al. [99] Feasibility and compatibility for protecting air transportation.
The results are only preliminary.
Heung et al. [100] Systematic evaluation of the anticipated faults in the system.
There is not sufficient data of safety-critical software, assembled for real-time systems.

Study Pros Cons
Chaze et al. [101] To efficiently recognize and respond to risks in maritime piracy.
There is a need for an ontology for proper usability.
Mo Ming [102] Correctly demonstrate the network safety situation and improve the safety of the system.
Heavily integrated with its system; therefore, difficult to use outside of network security analysis.
Shuliang et al. [103] Efficiency in analyzing vulnerabilities in smart grid.
The developed model is more methodological than practical.
Song et al. [104] The developed BN model plays a significant role in reducing fire risks.
The testing is not entirely performed before winter games.
André et al. [105] Providing a better quality of life and more prolonged survival of patients. The threat actors are not specified.

Limitations
This study has given below limitations: (1) The inclusion of articles is solely based on the English language, which indicates that notable studies of security and safety integration based on BN or GT in other languages have not been considered. (2) The results of this SLR are based on a restricted number of databases. These databases are used, due to the widespread usage for querying papers in the field of GT and BN. (3) Included studies were performed in different applications, so it might be not possible to compare each perspective.

Conclusions
Modern systems must simultaneously guarantee security and safety to provide continuous and accurate execution of crucial roles and services. Since security and safety depend on each other, they must be collectively applied to acquire the root cause assessment of noticeable issues. Therefore, numerous methods are developed to integrate security and safety; however, BN and GT are considered in this SLR, due to their extensive usage in various applications. This SLR includes 64 studies, and given below are concluding points: (a) It is observed that from the 64 included studies, 51 used BN models, 10 utilized GT models, and the remaining 3 were based on united BN and GT. (b) Most development scenarios utilized 40 nodes for performing experiments to observe unintentional failures or risks for GT and BN models. (c) It has been emphasized that approximately one-third of BN and GT models were evaluated in real-time; however, others were either based on simulation analysis or theoretical concepts. (d) There were two types of data sources (EK and ED) used for developing BN and GT models for different applications. (e) The key performance validation mechanisms for the included studies were statistical analysis, expert evaluation, and sensitivity analysis.
The future research directions for safety and security integration were the following: (a) There is a need to develop a generic tool or method or standard to combine security and safety, which can be helpful for different applications, since the significance of integrating both measures was demonstrated in this SLR, and a generic approach may offer feasibility and flexibility. (b) It is observed that there are various validation methods for evaluating BN or GT. A more extended investigation is necessary to estimate the accuracy and efficiency of validation mechanisms, in order to find the optimal option.
(c) Moreover, there is a need to research to acquire information about the suitable number of nodes to ensure reliable and accurate performance for ensuring safety and security based on BN or GT models. (d) Further research could improve Bayesian analysis based on the Metropolis-Hastings algorithm and Gaussian distributions [107].