The AILA Methodology for Automated and Intelligent Likelihood Assignment in Risk Assessment

Abstract

This article recognises the widespread application of risk assessment in ICT and aims at reducing the influence of human subjectivity and distraction by means of a methodology for the Automated and Intelligent Likelihood Assignment (AILA). The AILA Methodology, with its various components, applies when risk assessment proceeds exclusively upon information stated in a policy coming as a text document. This scenario is extremely common through small to medium sized institutions. Among the main contributions of this article lies the AILA Entity Extractor, which facilitates the risk assessor in the identification of entities, then of assets, from a given policy. Then, the AILA Classifier automates the assignment of likelihood values to given threats for assets. Moreover, the synergy of AILA with an existing tool for risk assessment demonstrates how to achieve more objective likelihood assignments. AILA is general in support of any risk assessment and, for the sake of demonstration, is applied to assess the privacy risk induced over physical persons by three real-world manufacturers from the automotive domain, namely Toyota, Mercedes and Tesla. AILA is also validated against a risk assessment methodology by ENISA, thereby confirming effectiveness and efficiency of the new methodology (which is dramatically more automated than ENISA's). AILA combines and consolidates together several techniques in an unprecedented fashion, including Natural Language Processing by summarisation and entity recognition, dataset labelling by appeal to the ToS;DR service, and fully-supervised Machine Learning and regression analysis. Finally, to contribute to open knowledge, the general, executable components of AILA, the AILA Entity Extractor and the AILA Classifier are released open source along with the privacy-specific components, the AILA Privacy Dataset and the AILA Privacy Model.