摘要
对信息安全风险评估提出了一种新的评估方式。根据风险评估流程,采用模糊综合评判法和AHP方法相结合的方法,对信息系统安全风险进行综合评估。采用模糊综合评判的方法,对资产、威胁、脆弱性进行评估,判断资产的风险等级,求出资产风险值,对系统风险进行定量评定。在评估资产时,对资产的安全特性:机密性、完整性、可用性,采用AHP的方法,构造比较判断矩阵,求出各因素的权重。通过实例验证,该方法操作方便,评估结果准确,具有一定的实际意义。
A new assessment method is introduced to the assessment of the information security risk.The method,which based on risk assessment process and combines fuzzy integrated evaluation and AHP method,is applied to the comprehensive risk assessment of information system security.The fuzzy integrated evaluation method is applied to assess the assets,threat and vulnerability,to judge the risk level of assets,to calculate the risk value of asset,and to make the qualitative evaluation of the information system.The AHP method is applied to assess the security features of the assets by constructing judgment matrix and calculating the weight of each factor.The study of the case shows that the method can be easily used to the risk assessment of the information security and the resuhs are in accord with the reality.
出处
《计算机工程与应用》
CSCD
北大核心
2008年第10期111-115,共5页
Computer Engineering and Applications
基金
北京市属市管高校中青年骨干教师经费资助项目
关键词
信息安全
风险评估
资产
威胁
脆弱性
模糊综合评判
AHP方法
information security
risk assessment
asset
threat
vulnerability
fuzzy integrated evaluation
AHP method
