Abstract: The existing models of risk assessment are based on statistical approaches overwhelmingly, and guided by static models and don’t take into account the dynamic nature of interactions in cyberspace. Known tools don’t allow to use delay in taking protective measures in process of risk analysis and assessment. To solve the problem, this paper analyzes the main causes of delay in taking measures to protect the information system, and proposes an information security risk assessment dynamic model which takes into account the delay in taking protective measures. The proposed model allows to create more flexible tools of evaluating the relative value of information security risk both on the basis of statistical data and the qualitative assessments made by using nonlinear models with delay. Further more, this paper also uses the proposed model to stimulate the impact on information security risk by the delay of the security measures. The simulation results show that, timely introduction of measures to counter threats will reduce information security risks effectively.

Key words: information security risks, risk analysis, network attacks, delay equation, model of systems with delay, nonlinear dynamics

摘要： 现有绝大多数风险评估模型均是基于静态模型指导下的统计学方法，并未考虑到网络空间要素间的动态作用，已知的风险评估工具也不支持在风险分析和评估过程中考虑安全措施的延迟问题。针对上述问题，分析了安全防护措施延迟的原因，提出了一个考虑了延迟因素的信息安全风险评估动态模型，为基于时滞非线性模型所得的统计数据和定性评估所得的结果创建更为灵活的风险评估工具提供了可能。利用模型对安全措施延迟对信息安全风险的影响进行了仿真研究，结果表明，针对威胁及时采取安全措施能有效地降低信息安全风险。

关键词: 信息安全风险, 风险分析, 网络攻击, 时滞方程, 时滞系统模型, 非线性动力学