摘要
本文提出一种基于信息系统安全性分析来定量计算信息安全风险的度量尺度,差距分析方法及相应的评估流程.通过差距分析法,可以定量地度量信息安全目的和安全现状的在安全保障控制措施和安全保障能力两方面差距,从而改进对信息安全的分析和设计以及如何提升信息安全保障能力.通过本文定义并计算整体信息安全风险度量尺度,还可以计算不同安全控制措施的产生的安全边际效益,进行安全投入产出效益分析.这种可计算的信息安全风险评估尺度和方法的有效性在实际工程中得到应用与检验.
This paper propose a quantitative information security risk metric based on information system security analysis, gap analysis method and its assessment procedure, Through security gap analysis method, we can compute quantitatively the difference between security target and TOE security in security assurance control and security assurance capability, and then improve the information system security architecture design and its assurance level. Using the metric, we can also compare the benefit difference among security contols, and calculate the input-output analysis. This computable information security risk assessment metric and method was applied in real case and proved effective.
出处
《电子学报》
EI
CAS
CSCD
北大核心
2006年第B12期2556-2559,共4页
Acta Electronica Sinica
关键词
差距分析
安全评估
风险评估
安全度量
gap analysis
security assessment
risk assessment
security metric