Harnessing GPT-4 for generation of cybersecurity GRC policies: A focus on ransomware attack mitigation

Thumbnail Image
Files
Published version.pdf(912.31 KB)
Date
2023-11-01
DOI
10.1016/j.cose.2023.103424
Open Access Location
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Elsevier B.V.
Rights
(c) 2023 The Author/s
CC BY-NC-ND 4.0
https://creativecommons.org/licenses/by-nc-nd/4.0/
Abstract
This study investigated the potential of Generative Pre-trained Transformers (GPTs), a state-of-the-art large language model, in generating cybersecurity policies to deter and mitigate ransomware attacks that perform data exfiltration. We compared the effectiveness, efficiency, completeness, and ethical compliance of GPT-generated Governance, Risk and Compliance (GRC) policies, with those from established security vendors and government cybersecurity agencies, using game theory, cost-benefit analysis, coverage ratio, and multi-objective optimization. Our findings demonstrated that GPT-generated policies could outperform human-generated policies in certain contexts, particularly when provided with tailored input prompts. To address the limitations of our study, we conducted our analysis with thorough human moderation, tailored input prompts, and the inclusion of legal and ethical experts. Based on these results, we made recommendations for corporates considering the incorporation of GPT in their GRC policy making.
Description
Keywords
GPT, Cybersecurity policies, Ransomware, Policy generation, GRC
Citation
McIntosh T, Liu T, Susnjak T, Alavizadeh H, Ng A, Nowrozy R, Watters P. (2023). Harnessing GPT-4 for generation of cybersecurity GRC policies: A focus on ransomware attack mitigation. Computers and Security. 134.
URI
https://mro.massey.ac.nz/handle/10179/71852
Collections
Journal Articles