Assessing Risk of Security Non-compliance of Banking Security Requirements Based on Attack Patterns
- DOI
- 10.2991/ijndc.2018.6.1.1How to use a DOI?
- Keywords
- Security requirement; Risk assessment; Security attack pattern; Regulatory compliance; Text similarity; Banking
- Abstract
Information systems such as those in the Banking sector need to comply with security regulations to assure that necessary security controls are in place. This paper presents an initial risk assessment method to assist a banking information system project in validating security requirements of the system. Dissimilarity between the textual security requirements of the system and the security regulations is determined to identify security non-compliance. A risk index model is then proposed to determine the risk level based on the severity and likelihood of exploit of any security attack patterns that could potentially affect the system if the missing regulations are not implemented. In an experiment using a case study of nine Thai commercial banks and the IT Best Practices of the Bank of Thailand as the regulations, the performance of compliance checking is evaluated in terms of F-measure and accuracy. It is also found that there is a strong positive correlation, with the coefficient of over 0.6, between the risk indices from the method and the security expert judgment.
- Copyright
- Copyright © 2018, the Authors. Published by Atlantis Press.
- Open Access
- This is an open access article under the CC BY-NC license (http://creativecommons.org/licences/by-nc/4.0/).
Download article (PDF)
View full text (HTML)
Cite this article
TY - JOUR AU - Krissada Rongrat AU - Twittie Senivongse PY - 2018 DA - 2018/01/02 TI - Assessing Risk of Security Non-compliance of Banking Security Requirements Based on Attack Patterns JO - International Journal of Networked and Distributed Computing SP - 1 EP - 10 VL - 6 IS - 1 SN - 2211-7946 UR - https://doi.org/10.2991/ijndc.2018.6.1.1 DO - 10.2991/ijndc.2018.6.1.1 ID - Rongrat2018 ER -