Cybersecurity requirements identification using LLMs - A design science study

Abstract

Context: Threat analysis and risk assessment (TARA) is a widely used approach for conducting cybersecurity analysis in the automotive industry. The process is initiated early in the development process and continuously iterated. Problems: Automotive systems continue to rely more on software. Additionally, the National Vulnerability Database (NVD) show that more vulnerabilities are found each year. As a result, much time has to be spent continuously ensuring that systems have updated TARA analysis. Method: We designed a Large Language Model (LLM) based artifact to help security engineers by automatically identifying attack paths and security requirements. The artifact achieved this via a combination of prompt engineering and grounding in both the Common Vulnerabilities and Exposures (CVE) database, and the Automotive Information Sharing and Analysis Center (Automotive-ISAC) Automotive Threat Matrix (ATM). Result: The artifact could define security requirements which met the expected standards of practitioners and were correct based on the attacks they were generated to mitigate. However, challenges were identified in the generation of attacks paths, where the generated output was less consistent in how well it met expectations. Experts perceived it to be able to generate appropriate requirements for an initial TARA analysis, however future work is needed to determine how more complex paths and requirements could be identified automatically.