{"title":"基于攻击模式的银行安全不合规风险评估","authors":"Krissada Rongrat, T. Senivongse","doi":"10.2991/ijndc.2018.6.1.1","DOIUrl":null,"url":null,"abstract":"Information systems such as those in the Banking sector need to comply with security regulations to assure that necessary security controls are in place. This paper presents an initial risk assessment method to assist a banking information system project in validating security requirements of the system. Dissimilarity between the textual security requirements of the system and the security regulations is determined to identify security non-compliance. A risk index model is then proposed to determine the risk level based on the severity and likelihood of exploit of any security attack patterns that could potentially affect the system if the missing regulations are not implemented. In an experiment using a case study of nine Thai commercial banks and the IT Best Practices of the Bank of Thailand as the regulations, the performance of compliance checking is evaluated in terms of F-measure and accuracy. It is also found that there is a strong positive correlation, with the coefficient of over 0.6, between the risk indices from the method and the security expert judgment.","PeriodicalId":318936,"journal":{"name":"Int. J. Networked Distributed Comput.","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Assessing Risk of Security Non-compliance of Banking Security Requirements Based on Attack Patterns\",\"authors\":\"Krissada Rongrat, T. Senivongse\",\"doi\":\"10.2991/ijndc.2018.6.1.1\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Information systems such as those in the Banking sector need to comply with security regulations to assure that necessary security controls are in place. This paper presents an initial risk assessment method to assist a banking information system project in validating security requirements of the system. Dissimilarity between the textual security requirements of the system and the security regulations is determined to identify security non-compliance. A risk index model is then proposed to determine the risk level based on the severity and likelihood of exploit of any security attack patterns that could potentially affect the system if the missing regulations are not implemented. In an experiment using a case study of nine Thai commercial banks and the IT Best Practices of the Bank of Thailand as the regulations, the performance of compliance checking is evaluated in terms of F-measure and accuracy. It is also found that there is a strong positive correlation, with the coefficient of over 0.6, between the risk indices from the method and the security expert judgment.\",\"PeriodicalId\":318936,\"journal\":{\"name\":\"Int. J. Networked Distributed Comput.\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Int. J. Networked Distributed Comput.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.2991/ijndc.2018.6.1.1\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Int. J. Networked Distributed Comput.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.2991/ijndc.2018.6.1.1","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Assessing Risk of Security Non-compliance of Banking Security Requirements Based on Attack Patterns
Information systems such as those in the Banking sector need to comply with security regulations to assure that necessary security controls are in place. This paper presents an initial risk assessment method to assist a banking information system project in validating security requirements of the system. Dissimilarity between the textual security requirements of the system and the security regulations is determined to identify security non-compliance. A risk index model is then proposed to determine the risk level based on the severity and likelihood of exploit of any security attack patterns that could potentially affect the system if the missing regulations are not implemented. In an experiment using a case study of nine Thai commercial banks and the IT Best Practices of the Bank of Thailand as the regulations, the performance of compliance checking is evaluated in terms of F-measure and accuracy. It is also found that there is a strong positive correlation, with the coefficient of over 0.6, between the risk indices from the method and the security expert judgment.