期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

一个威胁中心的信息安全风险评估模型 被引量:1

A Threat-centric Model for Information Security Risk Assessment
原文传递
导出
摘要 信息安全风险评估通过对资产、弱点、控制措施和威胁4个风险要素的识别与评估的综合获取被评估系统的风险值或风险级别,这4个风险要素之间存在复杂的关系,给风险评估的实施带来困难。依据最新的国际、国内风险评估标准,提出一个基本的3层评估体系结构和以威胁为中心的风险评估模型,将其他风险要素的评估结果统一到威胁风险评估中,清晰呈现了4个风险要素之间的关系,并适合于定性、定量或综合评估方法的实现。另外,3层体系结构也能用于实现不同细节层次上的风险评估的迭代循环。最后给出了模糊理论评价法在此模型中的具体实现。 In information security risk assessment, risk value or level of information system is evaluated by integrating results of identification and assessment for four risk factors-assets, vulnerabilities, control measures and threats, and complex relationships between the four risk factors lead to difficulties in the implementation of risk assessment. Based on the latest domestic and international risk assessment standards, a basic there-tier architecture and threat-centric risk assessment model are proposed. In the model, assessment resuits of the other risk factors are integrated into process of threat risk assessment, relationships between the four risk factors are clearly displayed, and the qualitative, quantitative or comprehensive assessment methods are also easy to be implemented. In addition, the there-tier architecture can be used to carry out the iterative cycle of risk assessment on different levels of detail. As an example, implementation of the fuzzy evaluation method is discussed in the model.
作者 肖敏 范士喜 吴峥
机构地区 重庆邮电大学计算机科学与技术学院 北京印刷学院计算机科学系 华中师范大学计算机科学系
出处 《武汉理工大学学报》 CAS CSCD 北大核心 2009年第18期43-45,共3页 Journal of Wuhan University of Technology
基金 重庆邮电大学博士启动基金
关键词 信息安全 信息安全风险评估 威胁 模糊理论评价法 information security information security risk assessment threat fuzzy evaluation
分类号 TP393 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献6

  • 1冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报,2004,25(7):10-18. 被引量:308
  • 2RYAN J J C H, JEFFERSON T I. The Use, Misuse, and Abuse of Statistics in Information Security Research [C]//Proceedings of the 2003 ASEM National Conference, 2003:644-653.
  • 3国家质量监督检验检疫总局.信息安全风险评估指南(GB送审稿)[S].2005.
  • 4ISO/IEC. ISO/IEC 27005, Information Technology-Security Techniques-Information Security Risk Management[ S]. 2008.
  • 5汪楚娇,林果园.网络安全风险的模糊层次综合评估模型[J].武汉大学学报(理学版),2006,52(5):622-626. 被引量:36
  • 6CHANG P-T, HUNG K-C. Applying the Fuzzy-Weighted-Average Approach to Evaluate Network Security Systems[ J]. Computers and Mathematics with Applications, 2005, 49: 1797-1814.

二级参考文献15

  • 1冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报,2004,25(7):10-18. 被引量:308
  • 2United States General Accounting Office, Accounting and Information Management Division. Information Security Risk Assessment[Z]. Augest 1999.
  • 3National Institute of Standards and Technology. Special Publications 800-30, Risk Management Guide(DRAFT)[Z]. June 2001.
  • 4BUTLER S A, FISCHBECK P. Multi-Attribute Risk Assessment, Technical Report CMD-CS-01-169[R]. December 2001.
  • 5BUTLER S A. Security Attribute Evaluation Method: A Cost-Benefit Approach[Z]. Computer Science. Department, 2001.
  • 6PELTIER T R. Information Security Risk Analysis[Z]. Rothstein Associates Inc, 2001.
  • 7ISO/IEC 17799 (BS ISO/IEC 17799: 2000). ISO Standard[S/OL]. [2006-01-26]. http://asia.bsi-global.com/Taiwan + About/BSINews/ ISO17799_translation, pd f .
  • 8Alonso G, Hagen C, Mohan C. Enhancing the Fault Ttolerance of Workflow Management Systems [J].IEEE Transaction on Concurrency, 2000,8 (3) : 74-81.
  • 9Son H, Seong P. A Software Safety Evaluation Method Based on Fuzzy Colored Petri Nets[S/OL]. [2006-01-25]. http://ieeexplore.ieee. org/ie15/6417/17177/00793056. pdf.
  • 10Weber S. A Modified Analytic Hierarchy Process for Automated Manufacturing Decision [J]. Interface,1993,23(4): 75-84.

共引文献337

同被引文献13

引证文献1

二级引证文献4

武汉理工大学学报
2009年 第18期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部