计算机工程与应用 ›› 2008, Vol. 44 ›› Issue (10): 111-115.

• 网络、通信、安全 • 上一篇    下一篇

基于评估流程的信息安全风险的综合评估

张泽虹   

  1. 北京信息科技大学,北京 100085
  • 收稿日期:2007-07-17 修回日期:2007-09-26 出版日期:2008-04-01 发布日期:2008-04-01
  • 通讯作者: 张泽虹

Comprehensive risk assessment of information security based on assessment process

ZHANG Ze-hong   

  1. Beijing Information Science & Technology University,Beijing 100085,China
  • Received:2007-07-17 Revised:2007-09-26 Online:2008-04-01 Published:2008-04-01
  • Contact: ZHANG Ze-hong

摘要: 对信息安全风险评估提出了一种新的评估方式。根据风险评估流程,采用模糊综合评判法和AHP方法相结合的方法,对信息系统安全风险进行综合评估。采用模糊综合评判的方法,对资产、威胁、脆弱性进行评估,判断资产的风险等级,求出资产风险值,对系统风险进行定量评定。在评估资产时,对资产的安全特性:机密性、完整性、可用性,采用AHP的方法,构造比较判断矩阵,求出各因素的权重。通过实例验证,该方法操作方便,评估结果准确,具有一定的实际意义。

关键词: 信息安全, 风险评估, 资产, 威胁, 脆弱性, 模糊综合评判, AHP方法, ,

Abstract: A new assessment method is introduced to the assessment of the information security risk.The method,which based on risk assessment process and combines fuzzy integrated evaluation and AHP method,is applied to the comprehensive risk assessment of information system security.The fuzzy integrated evaluation method is applied to assess the assets,threat and vulnerability,to judge the risk level of assets,to calculate the risk value of asset,and to make the qualitative evaluation of the information system.The AHP method is applied to assess the security features of the assets by constructing judgment matrix and calculating the weight of each factor.The study of the case shows that the method can be easily used to the risk assessment of the information security and the results are in accord with the reality.

Key words: information security, risk assessment, asset, threat, vulnerability, fuzzy integrated evaluation, AHP method