Skip to main content
SpringerLink
Log in
Book cover

International Conference on Applied Computing and Information Technology

ACIT 2017: Applied Computing & Information Technology pp 117–133Cite as

Risk Assessment of Security Requirements of Banking Information Systems Based on Attack Patterns

  • Chapter
  • First Online:

  • 690 Accesses

Part of the book series: Studies in Computational Intelligence ((SCI,volume 727))

Abstract

Security risk assessment is an important process for the implementation of any information systems including those in the banking sector. When a bank initiates or implements an information system project, requirements engineers or business analysts in the project conduct an initial validation of system security requirements to check if they comply with banking security regulations before an audit takes place. This paper presents an initial risk assessment method to assist the project team in validating security requirements of a banking information system. Text similarity analysis is used to identify which security regulations are missing from the security requirements of the bank, and a quantitative risk index model is also proposed to determine the level of risk associated with the regulations missing from the requirements. The risk level is based on the harm any potential attacks can do to the information system if the missing regulations are not implemented. Using a case study of banking in Thailand, we apply the method to assess security requirements of Thai commercial banks against the IT Best Practices of the Bank of Thailand. We evaluate the performance of security compliance checking in terms of F-measure and accuracy, and validity of risk assessment in terms of correlation with security expert judgment.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Security Scorecard HQ: 2016 Financial Industry Cybers ecurity Report: SecurityScorecard. https://cdn2.hubspot.net/hubfs/533449/SecurityScorecard_2016_Financial_Report.pdf (2016). Accessed 20 May 2017

  2. Bank of Thailand: IT Best Practices Phase I, Thailand (2013)

    Google Scholar 

  3. Bank of Thailand: IT Best Practices Phase II, Thailand (2014)

    Google Scholar 

  4. The MITRE Corporation: CAPEC-Common Attack Pattern Enumeration and Classification. http://capec.mitre.org. Accessed 15 April 2017

  5. Li, T., Paja, E., Mylopoulos, J., Horkoff, J., Beckers, K.: Security attack analysis using attack patterns. In: Proceeding of 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–13 (2016). doi:10.1109/RCIS.2016.7549303

  6. Steirna, E.J., Rowe, N.C.: Applying information-retrieval methods to software reuse: a case study. J. Inf. Process. Manage. 39(1), 67–74 (2003). doi:10.1016/S0306-4573(02)00025-0

    Article  MATH  Google Scholar 

  7. Baeza-Yates, R., Ribeiro-Neto, B.L: Modern Information Retrieval, 2nd ed. ACM Press, New York (2011)

    Google Scholar 

  8. Ilyas, M., Kung, J.: A similarity measurement framework for requirements engineering. In: Proceeding of 2009 Fourth International Multi-Conference on Computing in the Global Information Technology, Cannes, La Bocca, pp. 31–34 (2009). doi:10.1109/ICCGI.2009.12

  9. Dag, J.N.O., Regnell, B., Carlshamre, P., Andersson, M., Karlsson, J.: A feasibility study of automated natural language requirements analysis in market-driven development. J. Requirements Eng. 7, 20 (2002). doi:10.1007/s007660200002

  10. Yu, Y., Franqueira, V.N.L., Tun, T.T., Wieringa, R.J., Nuseibeh, B.: Automated analysis of security requirements through risk-based argumentation. J. Syst. Softw. 106, 102–116 (2015). doi:10.1016/j.jss.2015.04.065

    Article  Google Scholar 

  11. Piromsopa, K., Rojkangsadan, T., Prompoon, N.: A Risk assessment of web server Impact classification by loss type. In: Proceeding of Networks and Communication Systems (NCS), pp. 173–178 (2005)

    Google Scholar 

  12. Banklongsi, T., Senivongse, T.: A security measurement model for web services based on provision of attack countermeasure. In: Proceeding of 15th International Annual Symposium Computational Science and Engineering (ANSCSE15), pp. 593–598 (2011)

    Google Scholar 

  13. Firesmith, Donald G.: Engineering security requirements. J. Object Technol. 2754, 53–68 (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Faculty of Engineering, Chulalongkorn University, Bangkok, 10330, Thailand

    Krissada Rongrat & Twittie Senivongse

Authors
  1. Krissada Rongrat
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Twittie Senivongse
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Twittie Senivongse .

Editor information

Editors and Affiliations

  1. Software Engg & Information Techn. Inst., Central Michigan University Software Engg & Information Techn. Inst., Mt. Pleasant, MI, USA

    Roger Lee

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this chapter

Cite this chapter

Rongrat, K., Senivongse, T. (2018). Risk Assessment of Security Requirements of Banking Information Systems Based on Attack Patterns. In: Lee, R. (eds) Applied Computing & Information Technology. ACIT 2017. Studies in Computational Intelligence, vol 727. Springer, Cham. https://doi.org/10.1007/978-3-319-64051-8_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64051-8_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64050-1

  • Online ISBN: 978-3-319-64051-8

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation