Predictive Assistance for Security Risk Assessment

In many domains such as healthcare and banking and most notably the Fintech industry, IT systems can be exposed to breaches or attacks and need to fulfill various requirements related to security to prevent such scenarios from happening while limiting any potential exposure.
In order to demonstrate or establish that compliance, risk assessments are conducted to determine potential threats and vulnerabilities that a system might be exposed to, as well as potential security controls to implement in order to counter those breaches and fulfill the requirements.An important difficulty that analysts have to contend with during that process is sifting through a large number of vulnerabilities and security controls and determining which ones have a bearing on a given system. This challenge is often exacerbated by the scarce security expertise available in most organizations. In addition, risk assessments are conducted manually in a traditional approach and rely heavily on the expertise of available risk assessors. This turns manually eliciting the applicable vulnerabilities and controls into a lengthy, costly, tedious, and error-prone activity. Our goal is to develop an automated approach to provide decision support during that process by allowing the system to assist in the identification of vulnerabilities and security controls that are relevant to a particular context. Our approach, which is based on Machine Learning (ML), leverages historical data from security assessments performed over past systems in order to recommend applicable vulnerabilities and controls for a new system. Natural Language Processing (NLP) techniques are used in combination with ML to extract any useful information from those previous records e.g.: data from a project's internal and external environment including its scope, involved assets, collaborators,etc. We operationalize and empirically evaluate our approach using real historical data from the banking domain.The automation of such a process raises several challenges: Understanding the specifics of risk assessments is the first one and using the right tools to obtain the desired results is a second one. In fact, in addition to requiring the right data and features in combination with the proper ML techniques, existing NLP techniques are not built to handle the textual data in risk assessments with its technicalities or multilingualism. An additional challenge is to find a suitable knowledge representation for risk assessments that would enable the automation of decision-support while maintaining both cohesiveness and understandability from all involved stakeholders.

In this dissertation, we investigate to which extent one can automatically provide recommendations during a risk assessment. We focus exclusively on Vulnerabilities and Security Controls. All our technical solutions have been developed and empirically evaluated in close collaboration with our industrial partner.