一种量化安全风险等级评估模型

A model for quantitative risk grade evaluation

为了寻找一种理想的、操作性强的网络安全风险评估模型,对网络安全风险评估进行了深入的分析和研究;结合网络安全的三要素(风险威胁、安全技术、安全性质),提出了一种网络安全风险等级的计算模型.该模型包括一个安全技术矩阵和细分的二级评估参数.其中,安全技术矩阵中各元素的值代表该元素在整体安全等级中的权重,对不同的网络系统进行评估时,根据专家的建议和网络系统的实际情况调整技术矩阵的权重分配值;二级评估参数是根据安全技术矩阵的元素,分别列出所面临的风险威胁,面对这些风险威胁所能够采用的安全技术,以及网络系统的安全性质评价,通过对这些评估参数的分值计算得到网络的安全等级,以此对网络安全等级进行划分.该模型比较好地解决了定量化评估问题,具有操作性、实用性等特点.

At present, there isn＇t a kind of model for network security risk evaluation which is ideal and has good service ability. According to the three factors of the network safety（the risk threat, safe technique, safe property）, by a model of quantitative risk grade evaluation, namely, according to the network level objects elected and the network security elements, this paper designed a computational model for network security risk grade, which included a security technical matrix and subdivided second-class evaluation parameters, among them, the value of each element represented in the security technical matrix that expressed power value in whole safe grade. For the valuation of different network system, according to the expert suggestions and the actual circumstance of network system, the model adjusted the power value of the technique matrix, second-class valuation parameter list existing risk threat, and second-class valuation parameter list existing risk threat. It also adopted the safe technique for the risks threat, and evaluation to the safe property of the network system, by the computation of which the network security grades were obtained, and network security grades were divided. The model has resolved problems of quantitative evaluation and has the characteristics of operability and practical use etc. Finally the paper gave the calculation example of the model and application method.