面向业务过程的信息安全风险分析

Analysis on Business Process-Oriented Information Security Risk

下载PDF

导出

摘要为了能够充分描述业务及信息资产依赖的关系,以便在评估威胁的业务影响时,能综合考虑资产依赖程度和业务安全目标或需求,建立了一个内部依赖的递阶层次结构的资产依赖模型,结合网络分析法(ANP)计算组织业务在保密性、可用性和完整性上对资产的依赖程度,以反映业务对资产的安全需求,威胁对业务的影响由威胁强度和安全需求共同确定。实例分析表明,ANP方法得到的资产依赖性结果与现实更相符,从而为风险评估结果的合理性提供了保证。 In the information age, business process has become an important information security risk factor. However, there is lack of models to adequately describe the dependencies among business processes and information assets and in the process evaluating the impact of threat on business, the dependencies and security objectives or requirements of business have not been taken into account simultaneously, which has a negative impact on risk assessment result. This study presents an asset dependency diagram with hierarchical structure and inner dependencies and Analytic Network Process （ ANP ） is used to calculate the dependency degrees of organization business on information assets about confidentiality,integrity and availability respectively, which reflect the security requirements of business to assets. Based on this,the impact of a threat on business is determined by threat strength and security requirements. An example shows that the results about asset dependency according to ANP are more in line with reality,therefore the reasonableness of the risk assessment result is ensured.

作者范士喜

机构地区北京印刷学院信息工程学院

出处《北京印刷学院学报》 2015年第4期34-38,共5页 Journal of Beijing Institute of Graphic Communication

基金北京市自然科学基金(4142016)

关键词信息安全风险分析业务过程网络分析法(ANP) 资产依赖性 information security risk analysis business process asset dependency

分类号 TP393.08 [自动化与计算机技术—计算机应用技术]

引文网络
相关文献

参考文献10

1Rikhardsson Pall, Best Peter J, Green Peter et al. Business Process Risk Management, Compliance and Internal Control: A Research Agenda [ EB/OL ]. ( 2006-05-29 ) [ 2015-05-25 ].http://core, ac. uk/download/pdf/7279056, pdf.
2Zur Muehlen M, Rosemann M. Integrating Risks in Business Process Models [ EB/OL ]. ( 2005-05-29 ) [ 2015-05-25 ]. http ://aisel. aisnet, org/acis2005/50/.
3Fergle D'Aubeterre, Lakshmi S. Iyer Rahul Singh. An empirical evaluation of information security awareness levels in designing secure business processes [ EB/OL ]. ( 2009-05-20 ) [ 2015-05- 25 ]. http://delivery, acre. org/10. 1145/1560000/1555641/ al 6- d_aubeterre, pdf.
4余志伟,唐任仲.业务过程元素安全目标分析方法[J].浙江大学学报（工学版）,2007,41(8):1244-1248. 被引量：2
5Conforti R, Rosa M L, Fortino G, et al. Real-time risk monitoring in business processes : A sensor-based approach[ J]. Journal of Systems & Software, 2013,86( 11 ) :2939-2965.
6Stefan Fenz, Andreas Ekelhart, Thomas Neubauer. Business Process-Based Resource Importance Determination [ C ]// Proceedings of the 7th International Conference on Business Process Management. Springer-Verlag LNCS, University of Ulm, Ulm, Germany, 2009 : 113-127.
7Suh B,Han I. The IS risk analysis based on a business model [J]. Information & Management, 2003,41 (2) :149-158.
8RHRIG S. Using process models to analyse IT security requirements [ EB/OL ]. [ 2015-05-25 ]. http ://www. ifi. unizh. ch/publications/diss/Jahr_2003/thesis_roehrig, pdf.
9Breu R, Innerhofer-Oberperfler F. Model based business driven IT security analysis [ EB/OL]. ( 2005-08-29 ) [ 2015-06-12 ]. http://citeseerx, ist. psu. edu/showciting? cid=5317990.
10ISO/IEC 27005 : 2008, Information technology-Security techniques-Information security risk management [ S ]. International Organization for Standardization. 2008.

二级参考文献4

1闵京华,马卫国,胡道元.基于信息安全理论和模型的安全需求分析[J].网络安全技术与应用,2004(11):58-60. 被引量：8
2RHRIG S,Using process models to analyse IT security requirements[EB/OL].[2005-04-29].http://www.ifi.unizh.ch/ publications/diss/Jahr_2003/thesis_roehrig.pdf.
3CHOI S,CHAE S,LEE G.SRS-Tool:a security functional requirement specification development tool for application information system of organization[C]∥ Computational Science and Its Applications-ICCSA 2005,Singapore.Berlin/Heidelberg:Lecture Notes in Computer Science,2005(3481):458-467.
4何德全.安全并无绝对[J].信息网络安全,2002(10):23-23. 被引量：1

共引文献1

1何德全.安全并无绝对[J].信息网络安全,2002(10):23-23. 被引量：1

1刘洋,吴育华.基于J2EE面向业务过程企业应用集成的方法[J].哈尔滨商业大学学报（自然科学版）,2005,21(1):121-123.
2李兵,邢志伟,朱睿,苏丹.面向业务过程的服务时间估计与任务调度方法[J].信息与控制,2011,40(6):846-851. 被引量：1
3丁剑洁,刘洋.软件生产线核心资产库的演化分析[J].陕西教育学院学报,2009,25(1):81-83.
4朱凯华.网构软件技术在软件集成中的应用研究[J].才智,2008,0(8):210-210.
5徐欢,陈正鸣,王冲.一种面向业务过程的软件代码生成方法[J].微处理机,2015,36(5):35-42.
6孙劲光,杨成森.基于语义约束的数据转换模式研究[J].计算机工程与科学,2010,32(7):157-160.
7王勃,姚佩阳,稅冬东,陈洁钰.基于影响网的战场威胁强度评估建模[J].计算机工程与设计,2014,35(8):2836-2840.
8施化吉,赵曦滨,丁秋林,李星毅.面向业务过程的企业应用集成方案的研究[J].电子技术应用,2006,32(11):13-16. 被引量：3
9黄河清,俞金寿.面向用户群的信息集成方式及其解决方案[J].计算机工程,2003,29(10):24-25. 被引量：1
10王海霞.浅析IT服务管理[J].科技资讯,2007,5(36):213-213.

北京印刷学院学报

2015年第4期

浏览历史

内容加载中请稍等...

面向业务过程的信息安全风险分析

参考文献10

二级参考文献4

共引文献1

相关作者

相关机构

相关主题

浏览历史