Decision Support for Security-Control Identification Using Machine Learning

Bettaieb, Seifeddine; Shin, Seung Yeob; Sabetzadeh, Mehrdad; Briand, Lionel; Nou, Grégory; Garceau, Michael

Reference : Decision Support for Security-Control Identification Using Machine Learning


	Document type :	Scientific congresses, symposiums and conference proceedings : Paper published in a book
	Discipline(s) :	Engineering, computing & technology : Computer science
	Focus Areas :	Security, Reliability and Trust
	To cite this reference:	http://hdl.handle.net/10993/38497

Title :	Decision Support for Security-Control Identification Using Machine Learning
Language :	English
Author, co-author :	Bettaieb, Seifeddine [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Shin, Seung Yeob [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Sabetzadeh, Mehrdad [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Briand, Lionel [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Nou, Grégory []
	Garceau, Michael []
Publication date :	2019
Main document title :	International Working Conference on Requirements Engineering: Foundation for Software Quality, Essen 18-21 March 2019
Peer reviewed :	Yes
On invitation :	No
Audience :	International
Event name :	25th International Working Conference on Requirements Engineering: Foundation for Software Quality
Event date :	from 18-03-2019 to 21-03-2019
Event place (city) :	Essen
Event country :	Germany
Keywords :	[en] Security Requirements Engineering ; Security Assessment ; Machine Learning
Abstract :	[en] [Context & Motivation] In many domains such as healthcare and banking, IT systems need to fulfill various requirements related to security. The elaboration of security requirements for a given system is in part guided by the controls envisaged by the applicable security standards and best practices. [Problem] An important difficulty that analysts have to contend with during security requirements elaboration is sifting through a large number of security controls and determining which ones have a bearing on the security requirements for a given system. This challenge is often exacerbated by the scarce security expertise available in most organizations. [Principal ideas/results] In this paper, we develop automated decision support for the identification of security controls that are relevant to a specific system in a particular context. Our approach, which is based on machine learning, leverages historical data from security assessments performed over past systems in order to recommend security controls for a new system. We operationalize and empirically evaluate our approach using real historical data from the banking domain. Our results show that, when one excludes security controls that are rare in the historical data, our approach has an average recall of ≈ 95% and average precision of ≈ 67%. [Contribution] The high recall – indicating only a few relevant security controls are missed – combined with the reasonable level of precision – indicating that the effort required to confirm recommendations is not excessive – suggests that our approach is a useful aid to analysts for more efficiently identifying the relevant security controls, and also for decreasing the likelihood that important controls would be overlooked.
Research centres :	Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)
Funders :	Alphonse Weicker Foundation
Target :	Researchers ; Professionals ; Students ; General public ; Others
Permalink :	http://hdl.handle.net/10993/38497

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	REFSQ_2019_paper_11.pdf		Author postprint	401.18 kB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices