Elicitation of security threats and vulnerabilities in Insurance chatbots using STRIDE.
Artificial Intelligence
Chatbot security
Chatbots
Customer relationship management
Data security
Insurance
STRIDE
Threat modelling
Journal
Scientific reports
ISSN: 2045-2322
Titre abrégé: Sci Rep
Pays: England
ID NLM: 101563288
Informations de publication
Date de publication:
02 Aug 2024
02 Aug 2024
Historique:
received:
23
01
2024
accepted:
29
07
2024
medline:
3
8
2024
pubmed:
3
8
2024
entrez:
2
8
2024
Statut:
epublish
Résumé
Although chatbots are used a lot for customer relationship management (CRM), there needs to be more data security and privacy control strategies in chatbots, which has become a security concern for financial services institutions. Chatbots gain access to large amounts of vital company information and clients' personal information, which makes them a target of security attacks. The loss of data stored in chatbots can cause major harm to companies and customers. In this study, STRIDE (viz. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) modelling was applied to identify the data security vulnerabilities and threats that pertain to chatbots used in the insurance industry. To do this, we conducted a case study of a South African insurance organisation. The adopted methodology involved data collection from stakeholders in the insurance organisation to identify chatbot use cases and understand chatbot operations. After that, we conducted a STRIDE-based analysis of the chatbot use cases to elicit security threats and vulnerabilities in the insurance chatbots in the organisation. The results reveal that security vulnerabilities associated with Spoofing, Denial of Service, and Elevation of privilege are more relevant to insurance chatbots. The most security threats stem from Tampering, Elevation of privilege, and Spoofing. The study extends the discussion on chatbot security. It fosters an understanding of security threats and vulnerabilities that pertain to insurance chatbots, which is beneficial for security researchers and practitioners working on the security of chatbots and the insurance industry.
Identifiants
pubmed: 39095473
doi: 10.1038/s41598-024-68791-z
pii: 10.1038/s41598-024-68791-z
doi:
Types de publication
Journal Article
Langues
eng
Sous-ensembles de citation
IM
Pagination
17920Informations de copyright
© 2024. The Author(s).
Références
Cummins, J. D., Tennyson, S. & Weiss, M. A.: Efficiency, Scale Economies, and Consolidation in the US Life Insurance Industry. Financial Intitution Center (1998).
Alavudeen, R. & Rosa, K. D. Growing role of bancassurance in the banking sector. Bonfring Int. J. Ind. Eng. Manag. Sci. 5(2), 10–16 (2015).
Ditizio, A. A. & Smith, A. D. Transformation of CRM and supply chain management techniques in a new venture (2017). https://www.igi-global.com/chapter/transformation-of-crm-and-supply-chain-management-techniques-in-a-new-venture/166517
IBM: how-chatbots-reduce-customer-service-costs-by-30-percent (2017). https://www.ibm.com/blogs/watson/2017/10/how-chatbots-reduce-customer-service-costs-by-30-percent/ .
Tok, Y. C., Chattopadhyay, S.: Identifying threats, cybercrime and digital forensic opportunities in smart city infrastructure via threat modeling (2022).
Murugesan, S.: The cybersecurity renaissance: Security threats, risks, and safeguards (2019)
Zhang, Z., Li, B. & Liu, L. The impact of AI-based conversational agent on the firms’ operational performance: Empirical evidence from a call center. Appl. Artif. Intel. 37(1), 2157592. https://doi.org/10.1080/08839514.2022.2157592 (2023).
doi: 10.1080/08839514.2022.2157592
Lai, S., Leu, F. & Lin, J. A banking chatbot security control procedure for protecting user data security and privacy. BDET 2018, Chengdu, China (2019).
Følstad, A., Nordheim, C.B., Bjørkli C.A. What makes users trust a chatbot for customer service? An Exploratory Interview Study. International Conference on Internet Science. St. Petersburg, Russia (2018).
Hristidis, V. Chatbot Technologies and Challenges, First International Conference on Artificial Intelligence for Industries (AI4I). https://doi.org/10.1109/AI4I.2018.8665692 , pp. 126–126 (2018).
Cardona, D. R., Werth, O., Schönborn, S., Breitner, M. H. A mixed-methods analysis of the adoption and diffusion of chatbot technology in the German Insurance Sector. Proceedings of the 25th Americas Conference on Information Systems (AMCIS). Cancun, Mexico (2019).
Shabbir, J., Anwer, T. Artificial Intelligence and its Role in Near Future. Cornell University (2018).
Bozic, J., Wotawa, F. Planning-based Security Testing for Chatbots. 30th IFIP International Conference on Testing Software and Systems. Spain (2018).
Ye, W., Li, Q. Chatbot Security and Privacy in the Age of Personal Assistants. 2020 IEEE/ACMSymposium on Edge Computing (SEC) 2020. 388–393 (2020) https://doi.org/10.1109/SEC50012.2020.00057
Yang, J., Chen, Y. L., Por, L. Y. & Ku, C. S. A systematic literature review of information security in chatbots. Appl. Sci. 13(11), 6355 (2023).
doi: 10.3390/app13116355
Bhuiyan, M.S.I., Razzak, A., Ferdous, M. S., Chowdhury, M. J. M., Hoque, M. A., Tarkoma, S. BONIK: A Blockchain-Empowered Chatbot for Financial Transactions. IEEE 19th International Conference on Trust, Security, and Privacy in Computing and Communications 1079–1088 (2020). https://doi.org/10.1109/trustcom50675.2020.00143
Wube, H. D., Esubalew, S. Z., Weldesellasie, F. F. & Debelee, T. G. Text-based chatbot in financial sector: A systematic literature review. Data Sci. Financ. Econ 2(3), 232–259 (2022).
doi: 10.3934/DSFE.2022011
Gebert-Persson, S., Gidhagen, M., Sallis, J. E. & Lundberg, H. Online insurance claims: When more than trust matters. Int. J. Bank Marketing 37(2), 579–594 (2019).
doi: 10.1108/IJBM-02-2018-0024
Cardona, D. R., Janssen, A., Guhr, N., Breitner, M. H., & Milde, J. (2021). A matter of trust? Examination of chatbot usage in insurance business. in Proceedings of the Annual Hawaii International Conference on System Sciences (Vol. 2020-January, pp. 556–565). IEEE Computer Society. https://doi.org/10.24251/hicss.2021.068 .
Koetter, F., Blohm, M., Drawehn, J., Kochanowski, M., Goetzer, J., Graziotin, D., & Wagner, S. (2019). Conversational agents for insurance companies: from theory to practice. In Agents and Artificial Intelligence: 11th International Conference, ICAART 2019, Prague, Czech Republic, February 19–21, 2019, Revised Selected Papers 11 (pp. 338–362). Springer International Publishing, (2019).
Hussain. S., Kamal, A., Ahmad, S., Rasool, G., Iqbal, S. Threat modelling methodologies: A survey (2014).
Wilhjelm, C., Younis, A. A. A Threat analysis methodology for security requirements elicitation in machine learning based systems. IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C) (2020)
Lohmann, P. A., Albuquerque, C., & Machado, R. Systematic Literature Review of Threat Modeling Concepts. ICISSP, 163–173, (2023).
Yeng, P.K., Wulthusen, S.D. & Bian, Y. Comparative Analysis of Threat Modeling Methods for Cloud Computing towards Healthcare Security Practice. International Journal of Advanced Computer Science and Applications, vol. 11, no. 11 (2020).
Shevchenko, N., Chick, T. A., O’Riordan, P., Scanlon, T. P., & Woody, C. Threat modeling: a summary of available methods. Software Engineering Institute| Carnegie Mellon University (2018).
Rowley, S., Slack, F.: Conducting a literature review. The American journal of maternal child nursing 27(6) (2004)
Cummins, J. D., Doherty, N. A.: The Economics of Insurance Intermediaries (2006).
Sibindi, A. & Godi, N. J. Insurance sector development and economic growth: Evidence from South Africa. Corporate Ownership Control 11(4), 530–538 (2014).
doi: 10.22495/cocv11i4c6p3
Roberts-Lombard, M. Exploring the relationship between trust, commitment and customer loyalty through the intervening role of customer relationship management (CRM). Afr. J. Business Manag. 6(10) (2012).
Kanchinadam, T., Qazi, M., Bockhorst, J., Morell, M., Meissner K. & Fung, G. Using discriminative graphical models for insurance recommender systems. in 17th Proceedings IEEE International Conference on Machine Learning and Applications, ICMLA 2018. IEEE, (5), pp. 421–428 (2019).
Riikkinen, M., Saarijärvi, H., Sarlin, P. & Lähteenmäki, I. Using artificial intelligence to create value in insurance. Int. J. Bank Marketing 36(6), 1145–1168 (2018).
doi: 10.1108/IJBM-01-2017-0015
Singh, A., Ramasubramanian, K., Shivam, S., Singh, A., Ramasubramanian, K., & Shivam, S. Processes in the Banking and Insurance Industries. Building an Enterprise Chatbot: Work with Protected Enterprise Data Using Open Source Frameworks. 1–18 (2019).
Meltzer, M. A customer relationship management approach: Integrating the call centre with customer information. J. Database Marketing 8(3), 232–243 (2001).
Raikwar, M., Mazumdar, S., Ruj, S. Gupta, S. S., Chattopadhyay, A., Lam, K.: A Blockchain Framework for Insurance Processes. 2018 9th IFIP International Conference on New Technologies, Mobility, and Security (NTMS). 26–28 Feb. 2018 (2019). https://ieeexplore.ieee.org/abstract/document/8328731
Ondrisek, B.: Why You Shouldn’t Talk to Your Chatbot about Everything (2016) http://venturebeat.com/2016/11/17/why-you-shouldnt-talk-to-your-chatbot-about-everything/
Cahn, J.: CHATBOT: Architecture, Design, & Development. Senior Thesis (EAS499) University of Pennsylvania School of Engineering and Applied Science Department of Computer and Information Science (2017).
Mott, N.: Ticketmaster Blames Malware-Plagued Chatbot for Data Breach (2018). https://www.tomshardware.com/news/ticketmaster-data-breach-uk-international,37383.html .
Khan, R. Standardised architecture for conversational agents aka chatbots. Int. J. Computer Trends Technol. 50(2), 114–121 (2017).
doi: 10.14445/22312803/IJCTT-V50P120
Xiong, W. & Lagerström, R. Threat modelling—A systematic literature review. Comput. Security 84, 53–69 (2019).
doi: 10.1016/j.cose.2019.03.010
Microsoft (2017) https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
Hasal, M. et al. Chatbots: Security, privacy, data protection, and social aspects. Concurrency Comput. Practice Experience 33(19), e6426 (2021).
doi: 10.1002/cpe.6426
Ng, M., Coopamootoo, K. P. L., Ehsan, T., Aitken, M., Elliott, K., Moorsel, A. V.: Simulating the Effects of Social Presence on Trust, Privacy Concerns & Usage Intentions in Automated Bots for Finance. 2020 IEEE European Symposium on Security and Privacy Workshops 2021: 190–199 (2021) https://doi.org/10.1109/EuroSPW51379.2020.00034
Harkous, H., Shin, K. G., Fawaz, K. & Aberer, K.: PriBots: Conversational Privacy with Chatbots. Workshop on the Future of Privacy Indicators, at the Twelfth Symposium on Usable Privacy and Security (SOUPS) 2016, June 22–24 (2016).
CIS Controls Version 8. https://paper.bobylive.com/Security/CIS/CIS_Controls_v8_Guide.pdf (2021).
IRAM2 The next generation of assessing information risk (2014). https://www.securityforum.org/solutions-and-insights/information-risk-assessment-methodology-iram2/
Casola, V., De Benedictis, A., Rak, M. & Villano, U. A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach. J. Syst. Softw. 163, 110537 (2020).
doi: 10.1016/j.jss.2020.110537
Daramola, O., Sindre, G. & Moser, T. A tool-based semantic framework for security requirements specification. J. Universal Comput. Sci. 19(13), 1940–1962 (2013).
Salini, P. & Kanmani, S. Survey and analysis on Security Requirements Engineering. Comput. Electr. Eng. 38(6), 1785–1797. https://doi.org/10.1016/j.compeleceng.2012.08.008 (2012).
doi: 10.1016/j.compeleceng.2012.08.008