摘要
为了解决组织预算过程中信息安全投资最优的问题,建立了安全投资与风险控制的关系模型,对安全投资的有效性进行了研究,提出了降低事件发生概率有效性及缓解损失有效性的新概念。采用效用理论作为组织财富、风险损失和安全投资的描述模型,指数效用函数作为组织投资收益的描述模型。分析了安全投资的边界,使用求偏导数取极值的方法对投资效用函数进行了研究,并求得最小投资的解。应用实例表明,基于效用的风险度量方法是科学的,损失效应越大的安全事件需要更大的安全投资。
The relation model between security investment and risk control was introduced to solve the problem of the optimal information security investment in corporation budget. The security investment efficiency was studied and the new concept of reducing the event probability and lost efficiency was presented. The utility theory was used to model system under the eorporation wealth, risk lost and security investment, and the exponential utility function was used to model the yield of corporation,maximum security investment bound was analyzed. The method using differential coefficient to achieve extremum was applied for the utility function and derived the result of optimal investment. The case study demonstrated the risk measurement method based on the utility was scientific and the security events producing more loss effect need more security investment.
出处
《计算机科学》
CSCD
北大核心
2009年第12期70-72,123,共4页
Computer Science
基金
国家自然科学基金项目(60873233)
陕西省科技攻关(2008-k04-21)资助
关键词
网络安全
效用理论
风险控制
信息安全投资
Network security, Utility theory,Risk control, Information security investment
