TY - GEN
T1 - Decision Support for Security-Control Identification Using Machine Learning
AU - Bettaieb, Seifeddine
AU - Shin, Seung Yeob
AU - Sabetzadeh, Mehrdad
AU - Briand, Lionel
AU - Nou, Grégory
AU - Garceau, Michael
N1 - Publisher Copyright:
© 2019, Springer Nature Switzerland AG.
PY - 2019
Y1 - 2019
N2 - [Context & Motivation] In many domains such as healthcare and banking, IT systems need to fulfill various requirements related to security. The elaboration of security requirements for a given system is in part guided by the controls envisaged by the applicable security standards and best practices. [Problem] An important difficulty that analysts have to contend with during security requirements elaboration is sifting through a large number of security controls and determining which ones have a bearing on the security requirements for a given system. This challenge is often exacerbated by the scarce security expertise available in most organizations. [Principal ideas/results] In this paper, we develop automated decision support for the identification of security controls that are relevant to a specific system in a particular context. Our approach, which is based on machine learning, leverages historical data from security assessments performed over past systems in order to recommend security controls for a new system. We operationalize and empirically evaluate our approach using real historical data from the banking domain. Our results show that, when one excludes security controls that are rare in the historical data, our approach has an average recall of (Formula Presented) 95% and average precision of (Formula Presented) 67%. [Contribution] The high recall – indicating only a few relevant security controls are missed – combined with the reasonable level of precision – indicating that the effort required to confirm recommendations is not excessive – suggests that our approach is a useful aid to analysts for more efficiently identifying the relevant security controls, and also for decreasing the likelihood that important controls would be overlooked.
AB - [Context & Motivation] In many domains such as healthcare and banking, IT systems need to fulfill various requirements related to security. The elaboration of security requirements for a given system is in part guided by the controls envisaged by the applicable security standards and best practices. [Problem] An important difficulty that analysts have to contend with during security requirements elaboration is sifting through a large number of security controls and determining which ones have a bearing on the security requirements for a given system. This challenge is often exacerbated by the scarce security expertise available in most organizations. [Principal ideas/results] In this paper, we develop automated decision support for the identification of security controls that are relevant to a specific system in a particular context. Our approach, which is based on machine learning, leverages historical data from security assessments performed over past systems in order to recommend security controls for a new system. We operationalize and empirically evaluate our approach using real historical data from the banking domain. Our results show that, when one excludes security controls that are rare in the historical data, our approach has an average recall of (Formula Presented) 95% and average precision of (Formula Presented) 67%. [Contribution] The high recall – indicating only a few relevant security controls are missed – combined with the reasonable level of precision – indicating that the effort required to confirm recommendations is not excessive – suggests that our approach is a useful aid to analysts for more efficiently identifying the relevant security controls, and also for decreasing the likelihood that important controls would be overlooked.
KW - Machine learning
KW - Security assessment
KW - Security requirements engineering
UR - http://www.scopus.com/inward/record.url?scp=85064061090&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-15538-4_1
DO - 10.1007/978-3-030-15538-4_1
M3 - Conference contribution
AN - SCOPUS:85064061090
SN - 9783030155377
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 3
EP - 20
BT - Requirements Engineering
A2 - Goedicke, Michael
A2 - Knauss, Eric
PB - Springer Verlag
T2 - 25th International Working Conference on Requirements Engineering: Foundation for Software Quality, REFSQ 2019
Y2 - 18 March 2019 through 21 March 2019
ER -