Abstract
Although chatbots are used a lot for customer relationship management (CRM), there needs to be more data security and privacy control strategies in chatbots, which has become a security concern for financial services institutions. Chatbots gain access to large amounts of vital company information and clients’ personal information, which makes them a target of security attacks. The loss of data stored in chatbots can cause major harm to companies and customers. In this study, STRIDE (viz. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) modelling was applied to identify the data security vulnerabilities and threats that pertain to chatbots used in the insurance industry. To do this, we conducted a case study of a South African insurance organisation. The adopted methodology involved data collection from stakeholders in the insurance organisation to identify chatbot use cases and understand chatbot operations. After that, we conducted a STRIDE-based analysis of the chatbot use cases to elicit security threats and vulnerabilities in the insurance chatbots in the organisation. The results reveal that security vulnerabilities associated with Spoofing, Denial of Service, and Elevation of privilege are more relevant to insurance chatbots. The most security threats stem from Tampering, Elevation of privilege, and Spoofing. The study extends the discussion on chatbot security. It fosters an understanding of security threats and vulnerabilities that pertain to insurance chatbots, which is beneficial for security researchers and practitioners working on the security of chatbots and the insurance industry.
Published Version (Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.