Abstract: Recent years, in practices of the information security risk management of enterprises, there is no quantitative method to develop risk management scheme and select risk management tools, and manual risk analysis always takes too much time. In this paper, it proposes an information security risk management approach based on Markov logic network. First, it uses Markov logic network to describe dependencies between the components and services of the evaluated systems. Next, it uses marginal reasoning model of Markov logic network to estimate the system availability in case of different risk management measures, so as to provide a quantitative basis for the selection of management measures. Case studies show that, this method can provide reliable quantitative basis for selecting information system security risk management measures for enterprise, and the method is simple to implement.

Key words: Markov logic networks, information security, risk management, risk assessment, marginal reasoning model, system availability

摘要： 针对现有的企业安全风险管理中，风险处理方案的制定和管理措施的选择缺乏量化手段、手动风险分析方式耗时过长等问题，提出了一种基于马尔科夫逻辑网的信息安全风险管理方法。首先利用马尔科夫逻辑网对被评估系统组件及服务间依赖关系进行描述，进而利用马尔科夫逻辑网的边际推理模型来预估不同安全管理措施情况下的系统可用性值，从而为管理措施的选择提供了量化依据。案例研究表明，该方法能够为企业信息系统安全风险管理措施的选择提供可靠的量化依据，且方法实施简单易行。

关键词: 马尔科夫逻辑网, 信息安全, 风险管理, 风险评估, 边际推理模型, 系统可用性