Information security vulnerability prediction based on business process model using machine learning approach

Abstract

Identifying information security vulnerabilities of a new business process resulting from a business process redesign (BPR) must occur as early as possible. Organisations frequently initiate a BPR, and vulnerability identification that involves information security experts should follow. In developing countries, many organisations have insufficient experts, causing problems related to the experts’ workload. In this study, we propose a new method called Task-based Vulnerability Prediction (TbVP), which uses a machine-learning approach to predict information security vulnerabilities of the business process model. The method utilises the type and label of tasks in the model to predict vulnerabilities in implementing applications. Vulnerabilities data are taken from the Common Weakness Enumeration (CWE) dictionary. Our method consists of two main stages. First, we developed clusters using classification and clustering methods. Second, we built an automatic system to predict vulnerabilities using the clusters obtained from the first stage. Business processes of public universities were used as case studies to evaluate the method. We evaluated the automatic prediction system using the reliability test and comparing vulnerabilities our system predicted with actual vulnerabilities that materialised in the applications. The evaluation result shows that the system is a reliable predictor of application vulnerabilities, which our method can automatically predict based on a business process model, before implementing supporting applications.