摘要
针对信息安全风险评估问题,提出了同时考虑风险要素关系和控制措施作用及成本的风险分析模型.与现有研究成果相比,该风险分析模型的优势在于充分考虑威胁和脆弱性等风险要素相互关系的基础上,更加注重控制措施对威胁和脆弱性等风险要素的影响关系,同时考虑风险处理时控制措施的成本,为风险评估提供更加客观、准确的风险分析方法和有效的控制措施选择与优化策略.案例分析结果表明,利用该多目标决策风险分析模型能够有效地量化风险评估要素间的影响关系,依据控制措施的有效程度和合理成本提供客观、准确的控制措施优选排序,提高风险评估的准确性,从而为信息安全风险管理提供科学的决策依据.
Aiming at the information security risk assessment,a risk analysis model considering relevance among risk factors and controls with costs was proposed. Compared with the present research results,the proposed method not only fully considers the interrelation between the threats and vulnerabilities,but also concentrates on the influence of controls on such risk factors as threats and vulnerabilities,and simultaneously pays attention to the costs of risk treatment controls,which provides more objective and accurate method for risk assessment and effective strategy for control selection and optimization. The results of case analysis showthat the proposed risk analysis model based on multi-objective decision making can effectively quantize the interrelations among the risk assessment factors,provide the objective and accurate priority orders for control optimization according to the efficiency and rational costs of the controls,improve the accuracy of risk assessment,and thus provide the scientific decision making evidence for the information security risk management.
出处
《沈阳工业大学学报》
EI
CAS
北大核心
2015年第1期69-74,共6页
Journal of Shenyang University of Technology
基金
国家"十二五"科技支撑计划项目(2012BAH08B02)
国家自然科学基金资助项目(61272513)
北京市自然科学基金资助项目(4132011)
关键词
风险评估
风险要素相互关系
控制措施选择
成本
多目标决策
信息安全
决策试验和评价实验法
逼近理想求解的排序法
risk assessment
interrelation of risk factor
controls-selecting
cost
multi-objective decision making
information security
decision making test and evaluation test
ordering method approximate to ideal solution
