摘要
针对信息系统风险难以准确量化的问题,通过对信息系统风险影响要素资产、脆弱性和威胁的识别、分析与量化,提出了一种新的风险评估模型.该模型考虑三者之间的内在联系,综合计算系统的固有风险.同时考虑到信息系统的风险还受到外部实体行为信任的影响,给出一种融合实体行为信任的风险计算方法.在威胁评估过程中,通过信息熵理论确定各影响因素的权重,克服了直接赋值确定权重的主观判断方法,使评估结果更加客观和准确.应用实例表明融合实体行为信任风险计算系统的风险是合理的,该方法能够较好地评估信息系统的风险.
Risk analysis is one of key factors impacting on security decision-making in the information systems.Risk evaluation is the base and premise of building information system security setup.It is difficult to make accurate risk quantification because of many fuzzy and uncertain factors existing in risk analysis of information security.To address the problem,this paper proposes a risk evaluation model based on asset evaluation,vulnerability evaluation and threat evaluation by identifying and quantifying the risk factors.In this model,the value,vulnerability and threat of asset were combined to compute the risk of system.Furthermore,considering the risk of system is influenced by the behavior of external entity,a risk computation method merging behaviors trust of external entities was presented using the quantitative calculation of information entropy weight of each factor for overcoming subjectivity of direct assignment.The application of the proposed model and the experimental results show that the risk computation model merging trust implied in behaviors of the entities is reasonable,and can efficiently evaluate the risk information system.
出处
《南京师范大学学报(工程技术版)》
CAS
2010年第4期72-79,共8页
Journal of Nanjing Normal University(Engineering and Technology Edition)
基金
江苏省高校自然科学基金(007KJD520112)
江苏省教育科学"十一五"规划课题(D/2009/01/093)
