摘要
资产、威胁、脆弱性是信息安全风险评估的三个基本要素,在风险评估过程中首先必须对这三个要素识别与赋值,赋值的准确度关系到评估结果的科学性和客观性。依据威胁的统计属性,提出用灰色系统预测给威胁赋值的方法,通过建立灰色系统预测模型、灰色微分方程计算、残差检验,用历史数据预测评估本期威胁出现的频率,再经过威胁频率等级化处理,进行定量化的威胁赋值,提高了信息系统风险评估的客观性和可度量性。
Assets,threats and vulnerability is three basic elements for the information security risk assessment.In the risk assessment process,we must identify and evaluate these elements firstly.The accuracy of assignment will affect valuation results in the science and objectivity.The gray system prediction valuation method for threats is proposed by statistical properties.According to establishing the gray system prediction model,calculating the gray differential equation and inspecting residual,the frequency of current threats appearing is predicted by historical data.And then after processing by frequency and grade,threats are evaluated quantitatively.The above ways improve the objectivity and measurability.
关键词
信息安全风险评估
灰色系统预测
威胁赋值
information security risk assessment
gray system prediction
threat valuation
