Data security in chatbots for the insurance industry: a case study of a South African insurance company

Abstract

As chatbots become more popular, the insurance industry has adopted their use. Although chatbot has been used a lot in customer relationship management (CRM), there is a lack of data security and privacy control strategies for data in chatbots. During data exchange, the client's data may be compromised through computer security breaches, thus exposing the client to possible fraud and theft. The lack of data security and privacy control strategies for data in chatbots has become a major security concern in financial services institutions. Chatbots access a lot of company and client information and that makes the data contained in chatbots to be the target of hackers which can cause harm to companies and customers. This study explored how data security in chatbots in South African insurance organisations can be attained. To realise the aim of this study, five objectives were formulated as follows, to: 1) identify the potential use cases of chatbots for CRM in a South African insurance organisation; 2) identify the challenges of securing data in a chatbot in a South African insurance organization; 3) determine the security goals, threats, and vulnerabilities associated with the use of chatbots in a South African insurance organisation; 4) develop a threat model for the security and privacy of data in chatbots for a South African insurance organization; and 5) evaluate the threat model for security and privacy of data in the chatbots for a South African insurance organisation. The mixed-methods research methodology was adopted for the study. A case study research strategy that involved data collection from a South African insurance company was used. Semi-structured interviews were conducted with participants that were purposively selected. Also, the STRIDE modelling approach was used to collect data on the security threats and vulnerabilities that pertain to each insurance use case with for each component of STRIDE — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Based on the outcome of the STRIDE modelling, a threat model for data security in chatbots for the South African insurance industry was developed using the Attack Defence tool. The threat model reveals the data security threats in chatbots, and how they can be mitigated. An evaluation of the threat model was conducted using security experts who assessed the quality of the threat model. They also provided qualitative feedback on the threat model. The evaluation of the threat model adopted the System Usability Scale (SUS) questionnaire which is a standard questionnaire to evaluate a system or product. The SUS score for each evaluator was calculated, and a mean SUS score was obtained. From the expert evaluation, the developed threat model for data security in insurance chatbots obtained a mean SUS of 79.4 which corresponds to a grade B rating, which is a good rating based on the rules for the SUS scores. From the qualitative feedback, the security experts observed that the threat model can help to improve overall security and protect against potential attacks, and also proactively identify and mitigate potential threats in chatbots. The insurance industry and academia will benefit from this study. Insurance organisations can implement security using the proposed threat model for the security of data in their business chatbots. Also, this study contributes new information to the body of knowledge since this is the first study to develop a threat model for data security in the chatbots in the context of the South African insurance industry using STRIDE modelling.