Towards Improved Network Security Requirements and Policy: Domain-Specific Completeness Analysis via Topic Modeling

Network security policies contain requirements – including system and software features as well as expected and desired actions of human actors. In this paper, we present a framework for evaluation of textual network security policies as requirements documents to identify areas for improvement. Specifically, our framework concentrates on completeness. We use topic modeling coupled with expert evaluation to learn the complete list of important topics that should be addressed in a network security policy. Using these topics as a checklist, we evaluate (students) a collection of network security policies for completeness, i.e., the level of presence of these topics in the text. We developed three methods for topic recognition to identify missing or poorly addressed topics. We examine network security policies and report the results of our analysis: preliminary success of our approach.

[1]  Rajeev R. Raje,et al.  Analyzing and evaluating security features in software requirements , 2016, 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH).

[2]  Hiroki Sakaji,et al.  Extraction of Focused Topic and Sentiment of Financial Market by using Supervised Topic Model for Price Movement Prediction , 2019, 2019 IEEE Conference on Computational Intelligence for Financial Engineering & Economics (CIFEr).

[3]  David McMenemy,et al.  ‘To be understood as to understand’: A readability analysis of public library acceptable use policies , 2019, J. Libr. Inf. Sci..

[4]  Michael I. Jordan,et al.  Latent Dirichlet Allocation , 2001, J. Mach. Learn. Res..

[5]  David McMenemy,et al.  Management of acceptable use of computing facilities in the public library: avoiding a panoptic gaze? , 2015, J. Documentation.

[6]  Alan M. Davis,et al.  Software requirements - analysis and specification , 1990 .