Improving security requirements adequacy: an interval type 2 fuzzy logic security assessment system
Hibshi, Hanan; Breaux, Travis D.; Wagner, Christian
Travis D. Breaux
CHRISTIAN WAGNER Christian.Wagner@nottingham.ac.uk
Professor of Computer Science
Organizations rely on security experts to improve the security of their systems. These professionals use background knowledge and experience to align known threats and vulnerabilities before selecting mitigation options. The substantial depth of expertise in any one area (e.g., databases, networks, operating systems) precludes the possibility that an expert would have complete knowledge about all threats and vulnerabilities. To begin addressing this problem of fragmented knowledge, we investigate the challenge of developing a security requirements rule base that mimics multi-human expert reasoning to enable new decision-support systems. In this paper, we show how to collect relevant information from cyber security experts to enable the generation of: (1) interval type-2 fuzzy sets that capture intra- and inter-expert uncertainty around vulnerability levels; and (2) fuzzy logic rules driving the decision-making process within the requirements analysis. The proposed method relies on comparative ratings of security requirements in the context of concrete vignettes, providing a novel, interdisciplinary approach to knowledge generation for fuzzy logic systems. The paper presents an initial evaluation of the proposed approach through 52 scenarios with 13 experts to compare their assessments to those of the fuzzy logic decision support system. The results show that the system provides reliable assessments to the security analysts, in particular, generating more conservative assessments in 19% of the test scenarios compared to the experts’ ratings.
Hibshi, H., Breaux, T. D., & Wagner, C. (in press). Improving security requirements adequacy: an interval type 2 fuzzy logic security assessment system
|Conference Name||IEEE Symposium Series on Computational Intelligence (IEEE SSCI 2016)|
|End Date||Dec 9, 2016|
|Acceptance Date||Oct 15, 2016|
|Deposit Date||Nov 10, 2016|
|Peer Reviewed||Peer Reviewed|
|Keywords||user study; vignettes; scenarios; recommender system; security requirements; fuzzy logic; type-2; uncertainty|
|Related Public URLs||http://ssci2016.cs.surrey.ac.uk/
|Copyright Statement||Copyright information regarding this work can be found at the following address: http://eprints.nottingham.ac.uk/end_user_agreement.pdf|
|Additional Information||© 2016 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Proceedings 2016 IEEE Symposium Series on Computational Intelligence SSCI 2016, 6-9 December 2016, Athens, Greece
Copyright information regarding this work can be found at the following address: http://eprints.nottingham.ac.uk/end_user_agreement.pdf
You might also like
Juzzy Constrained: Software for Constrained Interval Type-2 Fuzzy Sets and Systems in Java
Insights from interval-valued ratings of consumer products - a DECSYS appraisal
Performance and Interpretability in Fuzzy Logic Systems – can we have both?
On the Choice of Similarity Measures for Type-2 Fuzzy Sets