Risk Assessment of Security Requirements of Banking Information Systems Based on Attack Patterns

被引:0
作者
Rongrat, Krissada [1 ]
Senivongse, Twittie [1 ]
机构
[1] Chulalongkorn Univ, Dept Comp Engn, Fac Engn, Bangkok 10330, Thailand
来源
APPLIED COMPUTING & INFORMATION TECHNOLOGY | 2018年 / 727卷
关键词
Security requirement; Risk assessment; Attack pattern; Regulatory compliance; Text similarity; Banking;
D O I
10.1007/978-3-319-64051-8_8
中图分类号
TP18 [人工智能理论];
学科分类号
081104 ; 0812 ; 0835 ; 1405 ;
摘要
Security risk assessment is an important process for the implementation of any information systems including those in the banking sector. When a bank initiates or implements an information system project, requirements engineers or business analysts in the project conduct an initial validation of system security requirements to check if they comply with banking security regulations before an audit takes place. This paper presents an initial risk assessment method to assist the project team in validating security requirements of a banking information system. Text similarity analysis is used to identify which security regulations are missing from the security requirements of the bank, and a quantitative risk index model is also proposed to determine the level of risk associated with the regulations missing from the requirements. The risk level is based on the harm any potential attacks can do to the information system if the missing regulations are not implemented. Using a case study of banking in Thailand, we apply the method to assess security requirements of Thai commercial banks against the IT Best Practices of the Bank of Thailand. We evaluate the performance of security compliance checking in terms of F-measure and accuracy, and validity of risk assessment in terms of correlation with security expert judgment.
引用
收藏
页码:117 / 133
页数:17
相关论文
共 12 条
[1]  
[Anonymous], 2016, SECURITY SCORECARD H
[2]  
[Anonymous], 2011, Modern Information Retrieval: The Concepts and Technology behind Search
[3]  
Bank of Thailand, 2013, IT BEST PRACT PHAS 1
[4]  
Bank of Thailand, 2014, IT BEST PRACT PHAS I
[5]  
Banklongsi T., 2011, P 15 INT ANN S COMP, P593
[6]  
Firesmith Donald., 2003, J OBJECT TECHNOL, V2, P53
[7]   A Similarity Measurement Framework for Requirements Engineering [J].
Ilyas, Muhammad ;
Kueng, Josef .
2009 FOURTH INTERNATIONAL MULTI-CONFERENCE ON COMPUTING IN THE GLOBAL INFORMATION TECHNOLOGY (ICCGI 2009), 2009, :31-34
[8]   A feasibility study of automated natural language requirements analysis in market-driven development [J].
Natt Och Dag J. ;
Regnell B. ;
Carlshamre P. ;
Andersson M. ;
Karlsson J. .
Requirements Engineering, 2002, 7 (1) :20-33
[9]  
Piromsopa K., 2005, P NETW COMM SYST NCS, P173
[10]   Applying information-retrieval methods to software reuse: a case study [J].
Stierna, EJ ;
Rowe, NC .
INFORMATION PROCESSING & MANAGEMENT, 2003, 39 (01) :67-74