<p>Cybersecurity certification generally relies on risk assessment results to identify suitable controls and assess the completeness of these controls for security requirement satisfaction and overall security assurance. Prioritization of relevant vulnerabilities is essential to support the risk assessment and overall conformity assessment. However, the security context has continuously evolved with variations in attack surfaces, vulnerability exploitation, and the regulatory landscape–factors that significantly impact the conformity assessment process. This research proposes a hybrid AI framework integrating ensemble learning with GPT-3.5 for effective risk management within composite product cybersecurity conformity assessment under the European Cybersecurity Certification Scheme. It operationalizes Explainable AI (XAI) practices using SHAP and LIME methods to identify the most influential features affecting vulnerability predictions, and applies marginal analysis to measure the quantifiable gap closure between required and actual security postures to validate security control adequacy and requirement satisfaction based on calculated risk levels. This facilitates the adoption of XAI in the context of cybersecurity certification, extending its utility beyond general AI-enabled application scenarios. An industrial pilot scenario based on the P-NET 5G/6G Testing and Integration Service infrastructure, along with a dataset-based experiment, was conducted to evaluate the proposed framework. The results indicate that the hybrid model achieved 89% accuracy for vulnerability exploitation score prediction, enabling accurate risk calculation for conformity assessment. Furthermore, the XAI analysis revealed that the identified security controls demonstrate adequate performance in satisfying mapped security functional requirements. Ultimately, the framework provides quantifiable validation of security control effectiveness, enabling auditors to trace the logical connections between vulnerability predictions, risk calculations, and security requirement satisfaction for an informed certification decision.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Hybrid AI-Based dynamic risk assessment framework with explainable AI practices for composite product cybersecurity certification

  • Shareeful Islam,
  • Bilal Sardar,
  • Eleni Maria Kalogeraki,
  • Kostas Lampropoulos,
  • Spyridon Papastergiou

摘要

Cybersecurity certification generally relies on risk assessment results to identify suitable controls and assess the completeness of these controls for security requirement satisfaction and overall security assurance. Prioritization of relevant vulnerabilities is essential to support the risk assessment and overall conformity assessment. However, the security context has continuously evolved with variations in attack surfaces, vulnerability exploitation, and the regulatory landscape–factors that significantly impact the conformity assessment process. This research proposes a hybrid AI framework integrating ensemble learning with GPT-3.5 for effective risk management within composite product cybersecurity conformity assessment under the European Cybersecurity Certification Scheme. It operationalizes Explainable AI (XAI) practices using SHAP and LIME methods to identify the most influential features affecting vulnerability predictions, and applies marginal analysis to measure the quantifiable gap closure between required and actual security postures to validate security control adequacy and requirement satisfaction based on calculated risk levels. This facilitates the adoption of XAI in the context of cybersecurity certification, extending its utility beyond general AI-enabled application scenarios. An industrial pilot scenario based on the P-NET 5G/6G Testing and Integration Service infrastructure, along with a dataset-based experiment, was conducted to evaluate the proposed framework. The results indicate that the hybrid model achieved 89% accuracy for vulnerability exploitation score prediction, enabling accurate risk calculation for conformity assessment. Furthermore, the XAI analysis revealed that the identified security controls demonstrate adequate performance in satisfying mapped security functional requirements. Ultimately, the framework provides quantifiable validation of security control effectiveness, enabling auditors to trace the logical connections between vulnerability predictions, risk calculations, and security requirement satisfaction for an informed certification decision.