Ensuring adherence to cybersecurity frameworks and standards is a prevalent challenge that numerous organizations face. Conventional auditing necessitates extensive manual analysis that requires an excessive quantity of time and resources to verify compliance and discover gaps in adherence to best practices.
Recent advancements in large language models (LLMs) have generated many new opportunities to streamline tedious tasks. Artificial intelligence and machine learning have been increasingly applied to numerous aspects of cybersecurity, including threat detection as demonstrated by Lee et al. (2019). However, the application of these technologies in compliance auditing, though, remains largely unexplored. This study proposes a novel approach that employs a specialized LLM that aids in cybersecurity compliance auditing by finding compliance gaps and providing actionable recommendations by analyzing organizational reports. To ensure pertinent gap analysis in a dynamic and evolving sector, we review numerous contemporary cybersecurity standards as a set of training data, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the North American Electric Corporation Critical Infrastructure Protection (NERC-CIP) Standards. Furthermore, we address the ethical and practical challenges of using LLMs, including issues of hallucinations, transparency, and potential data security risks. A user-friendly interface must also be emphasized to facilitate accessibility for individuals with limited technical expertise. Our preliminary findings indicate that the proposed LLM auditing process could significantly reduce the time required for compliance audits while maintaining relative accuracy. However, due to certain persistent and unvalidated issues, the jury is still out on LLMs. Notwithstanding these limitations, LLMs can still be tapped as a tool for regulatory compliance and audit as demonstrated by a proof-of-concept system resulting from this study.
Exploring LLM-Assisted Gap Analysis for Cybersecurity Compliance Auditing
Category
Student Abstract Submission