Reference : Using Machine Learning to Assist with the Selection of Security Controls During Secur...
Scientific journals : Article
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/42065
Using Machine Learning to Assist with the Selection of Security Controls During Security Assessment
English
Bettaieb, Seifeddine mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Shin, Seung Yeob mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Sabetzadeh, Mehrdad mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Briand, Lionel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Garceau, Michael []
Meyers, Antoine []
2020
Empirical Software Engineering
Springer
25
4
2550–2582
Yes (verified by ORBilu)
International
1573-7616
1382-3256
[en] Security Requirements Engineering ; Security Assessment ; Automated Decision Support ; Machine Learning
[en] In many domains such as healthcare and banking, IT systems need to fulfill various requirements related to security. The elaboration of security requirements for a given system is in part guided by the controls envisaged by the applicable security standards and best practices. An important difficulty that analysts have to contend with during security requirements elaboration is sifting through a large number of security controls and determining which ones have a bearing on the security requirements for a given system. This challenge is often exacerbated by the scarce security expertise available in most organizations. [Objective] In this article, we develop automated decision support for the identification of security controls that are relevant to a specific system in a particular context. [Method and Results] Our approach, which is based on machine learning, leverages historical data from security assessments performed over past systems in order to recommend security controls for a new system. We operationalize and empirically evaluate our approach using real historical data from the banking domain. Our results show that, when one excludes security controls that are rare in the historical data, our approach has an average recall of ≈ 94% and average precision of ≈ 63%. We further examine through a survey the perceptions of security analysts about the usefulness of the classification models derived from historical data. [Conclusions] The high recall – indicating only a few relevant security controls are missed – combined with the reasonable level of precision – indicating that the effort required to confirm recommendations is not excessive – suggests that our approach is a useful aid to analysts for more efficiently identifying the relevant security controls, and also for decreasing the likelihood that important controls would be overlooked. Further, our survey results suggest that the generated classification models help provide a documented and explicit rationale for choosing the applicable security controls.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)
Alphonse Weicker Foundation
Researchers ; Professionals ; Students ; General public ; Others
http://hdl.handle.net/10993/42065
10.1007/s10664-020-09814-x

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
EMSEPreprint.pdfAuthor preprint563.55 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.