A Framework for Systematic Classification of Assets for Security Testing Sadeeq Jan 1,* , Omer Bin Tauqeer 1 , Fazal Qudus Khan 2 , George Tsaramirsis 2 , Awais Ahmad 3 , Iftikhar Ahmad 4 , Imran Maqsood 5 and Niamat Ullah 6 1 National Center for Cyber Security, Department of CS & IT, University of Engineering & Technology, Peshawar, Pakistan 2 Department ofInformation Technology, FCIT, King Abdulaziz University, Jeddah, Saudi Arabia 3 Dipartimento di Informatica (DI), Università Degli Studi di Milano Statale, Via Celoria 18, Milano, Italy 4 Department of Computer Science & IT, University of Engineering & Technology, Peshawar, Pakistan 5 Department of Software Engineering, University of Engineering & Technology, Mardan, Pakistan 6 University of Buner, Buner, Pakistan  Corresponding Author: Sadeeq Jan. Email: sadeeqjan@uetpeshawar.edu.pk Received: 14 July 2020; Accepted: 07 August 2020 Abstract: Over the last decade, a significant increase has been observed in the use of web-based Information systems that process sensitive information, e.g., perso- nal, financial, medical. With this increased use, the security of such systems became a crucial aspect to ensure safety, integrity and authenticity of the data. To achieve the objectives of data safety, security testing is performed. However, with growth and diversity of information systems, it is challenging to apply secur- ity testing for each and every system. Therefore, it is important to classify the assets based on their required level of security using an appropriate technique. In this paper, we propose an asset security classification technique to classify the System Under Test (SUT) based on various factors such as system exposure, data criticality and security requirements. We perform an extensive evaluation of our technique on a sample of 451 information systems. Further, we use security testing on a sample extracted from the resulting prioritized systems to investigate the presence of vulnerabilities. Our technique achieved promising results of suc- cessfully assigning security levels to various assets in the tested environments and also found several vulnerabilities in them. Keywords: Security; security testing; privacy; asset classification 1 Introduction Complex web-based systems either contain or utilize private and critical information which must remain secure from unauthorized access and tampering. Similarly, basic web applications may also process sensitive information and, are constantly at risk of being attacked. New and complex systems used in cloud computing for data crunching and information gathering may also be vulnerable to various attacks and threats. To ensure the security of these systems and applications, security testing is required. There are various types of security testing techniques that are used to find vulnerabilities. The most common form of testing is Penetration Testing also known as “Pen Testing”. Penetration testing is carried out by simulating real attacks on This work is licensed under a Creative Commons Attribution 4.0 International License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Computers, Materials & Continua DOI:10.32604/cmc.2020.012831 Article ech T Press Science