Abstract
Information systems such as those in the Banking sector need to comply with security regulations to assure that necessary security controls are in place. This paper presents an initial risk assessment method to assist a banking information system project in validating security requirements of the system. Dissimilarity between the textual security requirements of the system and the security regulations is determined to identify security non-compliance. A risk index model is then proposed to determine the risk level based on the severity and likelihood of exploit of any security attack patterns that could potentially affect the system if the missing regulations are not implemented. In an experiment using a case study of nine Thai commercial banks and the IT Best Practices of the Bank of Thailand as the regulations, the performance of compliance checking is evaluated in terms of F-measure and accuracy. It is also found that there is a strong positive correlation, with the coefficient of over 0.6, between the risk indices from the method and the security expert judgment.
Article PDF
Avoid common mistakes on your manuscript.
References
J. Lee, A View of Cloud Computing, Int. J. Networked and Distributed Computing, Vol. 1, No. 1 (2013), 2–8.
Y. Duan, X. Sun, A. Longo, Z. Lin, and S. Wan, Sorting Terms of “aaS” of Everything as a Service, Int. J. Networked and Distributed Computing, Vol. 4, No. 1 (2016), 32–44.
SecurityScorecard, 2016 Financial Industry Cybersecurity Report (2016), https://cdn2.hubspot.net/hubfs/533449/SecurityScorecard_2016_Financial_Report.pdf, Accessed 20 May 2017.
Bank of Thailand, IT Best Practices Phase I, Thailand (2013).
Bank of Thailand, IT Best Practices Phase II, Thailand (2014).
The MITRE Corporation, CAPEC–Common Attack Pattern Enumeration and Classification, http://capec.mitre.org, Accessed 15 April 2017.
T. Li, E. Paja, J. Mylopoulos, J. Horkoff, and K. Beckers, Security attack analysis using attack patterns, in Proc. 2016 IEEE 10th Int. Conf. Research Challenges in Information Science (RCIS) (2016), pp.1–13
E. J. Steirna and N. C. Rowe, Applying information retrieval methods to software reuse A case study, J. Inform. Process. and Manage., Vol. 39, No. 1 (2013) 67–74
R. Baeza-Yates and B. L. Ribeiro-Neto, Modern Information Retrieval, 2nd ed (ACM Press, New York, 2011).
M. Ilyas and J. Kung, A similarity measurement framework for requirements engineering, in Proc. 2009 4th Int. Multi-Conf. Computing in the Global Inform. Technology (Cannes, La Bocca, 2009), pp. 31–34.
J. N. O. Dag, B. Regnell, P. Carlshamre, M. Andersson, and J. Karlsson, A feasibility study of automated natural language requirements analysis in market-driven development, J. Requirements Eng. 7(1) (2002), 20–33.
Y. Yu, V. N. L. Franqueira, T. T. Tun, R. J. Wieringa, and B. Nuseibeh, Automated analysis of security requirements through risk-based argumentation, J. Syst. and Software, Vol. 106 (2015) 102–116.
K. Piromsopa, T. Rojkangsadan, and N. Prompoon, A Risk assessment of web server impact classification by loss type, in Proc. Networks and Commun. Syst. (NCS) (2005), pp. 173–178.
T. Banklongsi and T. Senivongse, A security measurement model for web services based on provision of attack countermeasure, in Proc. 15th Int. Annu. Symp. Computational Sci. and Eng. (ANSCSE15) (2011), pp. 593–598.
D. G. Firesmith, Engineering security requirements, J. Object Technology, Vol. 2754 (2003), 53–68.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
This is an open access article under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).
About this article
Cite this article
Rongrat, K., Senivongse, T. Assessing Risk of Security Non-compliance of Banking Security Requirements Based on Attack Patterns. Int J Netw Distrib Comput 6, 1–10 (2018). https://doi.org/10.2991/ijndc.2018.6.1.1
Published:
Issue Date:
DOI: https://doi.org/10.2991/ijndc.2018.6.1.1