From COBIT to ISO 42001: Evaluating Cybersecurity Frameworks for Opportunities, Risks, and Regulatory Compliance in Commercializing Large Language Models

Timothy R. McIntosh,Teo Susnjak,Tong Liu,Paul Watters,Raza Nowrozy,Malka N. Halgamuge
2024-02-24
Abstract:This study investigated the integration readiness of four predominant cybersecurity Governance, Risk and Compliance (GRC) frameworks - NIST CSF 2.0, COBIT 2019, ISO 27001:2022, and the latest ISO 42001:2023 - for the opportunities, risks, and regulatory compliance when adopting Large Language Models (LLMs), using qualitative content analysis and expert validation. Our analysis, with both LLMs and human experts in the loop, uncovered potential for LLM integration together with inadequacies in LLM risk oversight of those frameworks. Comparative gap analysis has highlighted that the new ISO 42001:2023, specifically designed for Artificial Intelligence (AI) management systems, provided most comprehensive facilitation for LLM opportunities, whereas COBIT 2019 aligned most closely with the impending European Union AI Act. Nonetheless, our findings suggested that all evaluated frameworks would benefit from enhancements to more effectively and more comprehensively address the multifaceted risks associated with LLMs, indicating a critical and time-sensitive need for their continuous evolution. We propose integrating human-expert-in-the-loop validation processes as crucial for enhancing cybersecurity frameworks to support secure and compliant LLM integration, and discuss implications for the continuous evolution of cybersecurity GRC frameworks to support the secure integration of LLMs.
Computers and Society,Artificial Intelligence
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is to evaluate the integration readiness of the four existing major cybersecurity governance, risk, and compliance (GRC) frameworks - NIST CSF 2.0, COBIT 2019, ISO 27001:2022, and ISO 42001:2023 - in terms of opportunities, risks, and regulatory compliance when adopting large language models (LLMs). Specifically, the paper focuses on the following aspects: 1. **Evaluating the framework's support for LLM opportunities**: The research analyzes how these frameworks support and promote the integration of LLMs to take advantage of their potential benefits. 2. **Evaluating the framework's management of LLM risks**: Especially for the new risks that LLMs may bring (such as generating misleading or "hallucinatory" content), the research evaluates whether these frameworks provide sufficient risk management and mitigation measures. 3. **The consistency of the framework with the EU AI Act**: The research also explores to what extent these frameworks can comply with the provisions of the upcoming EU AI Act, especially in ensuring the safe and ethical use of generative AI. ### Research Background With the wide application of large language models (LLMs) in various industries, especially in the field of cybersecurity, they bring new opportunities and challenges. However, the existing cybersecurity frameworks have certain limitations and deficiencies in dealing with these emerging technologies. Therefore, this paper aims to reveal the advantages and disadvantages of these frameworks in LLM integration through systematic evaluation, thereby providing a basis for future framework improvement. ### Main Contributions 1. **The first academic evaluation**: This is one of the first academic evaluations of the integration readiness of major cybersecurity frameworks in LLM, revealing the deficiencies of existing frameworks in risk supervision. 2. **Multidimensional analysis**: The research emphasizes that the framework needs to adopt a multidimensional approach in the evolution process to support the integration of LLMs, including multiple aspects such as risk management, governance, and compliance. 3. **Identifying specific control deficiencies**: The research has found that the existing frameworks have insufficient control in managing the "hallucination" risk of LLMs, and this problem is not limited to the analyzed standards but is widespread. 4. **Calling for continuous framework updates**: The research results show that in order to deal with the risks and compliance issues of emerging AI technologies and seize the opportunities they bring, these frameworks need continuous updates and development. Through these contributions, this research aims to trigger an important discussion on the necessity of regular updates of cybersecurity standards to deal with rapidly developing technologies such as LLMs.