Automatic Association of Cloud Security Controls and Quantifiable Metrics for Certification

Abstract

The draft candidate European Cybersecurity Certification Scheme for Cloud Services (EUCS) defines security controls that must be associated with measurable metrics to assess compliance. This association process is currently manual, time-consuming, and prone to inconsistencies. In this paper, we propose an automated approach based on Sentence Transformers to associate cloud security controls with quantifiable metrics by leveraging semantic similarity between their textual descriptions. We evaluate our method on a dataset of 70 controls derived from the EUCS framework. The proposed approach outperforms a FastText-based baseline, achieving a conditional Normalized Discounted Cumulative Gain at rank 10 score of 0.640 (+0.146) and improving the standard nDCG@10 score from 0.275 to 0.504. These results demonstrate that contextual embedding models significantly enhance both the likelihood of retrieving relevant metrics and their ranking quality. Our findings highlight the potential of transformer-based methods to support automated, scalable, and more reliable compliance processes in cloud cybersecurity certification.

0

Turn this paper into a full lesson

ArcXiv compiles a staged curriculum from this paper: 8-12 lessons across beginner → advanced, synthesised section guides, visuals, flashcards, a quiz, exercises, and on-demand deep dives per section. Grounded in the abstract, never invented.

Discussion (0)

Sign in to join the discussion.

Loading comments…