文档介绍：摘要
摘 要
信息安全技术自问世以来,已有四十余年的历史。多年来,人们凭借着日益丰富、完善的安全技术解决了一个又一个的安全难题。但随着社会化信息步伐的加快和网络的日趋庞大,安全事件的发生率已远远超出了以往任何时期,纯粹、被动的技术手段已经不能应付日益增长的安全威胁。因此,人们提出了安全风险评估的思想。风险评估采取防患于未然的主观态度,技术与管理并重,通过识别信息系统中导致安全事件发生的各风险因子,评估各安全事件发生的概率及其造成的损失,来确定系统目前面临的安全风险,并针对各风险情况,有针对性、有区别地给出对应的风险控制措施,达到保障系统相对安全的目的。
风险计算是风险评估及风险管理的重要前提。本文基于风险评估核心思想, 从风险评估及其计算模型的现状入手,介绍了风险评估体系中的评估工作模式、流程、评估标准体系、评估工具等基础理论,重点讨论了基于风险要素的评估模型和风险分析计算方法。在此基础上,建立了一种新的安全风险计算模型。该模型综合考虑了资产价值、安全措施强度、单独安全威胁及其威胁相互作用对整个系统安全带来的影响,并对计算的复杂度作了科学、恰当的控制,有效地提高了评估结果的客观性和准确性,解决了以往计算模型考虑不全面、计算结果不准确的问题。
最后,本文以面向对象理论为指导、借助数据库的支持,将该计算模型应用于安全风险评估工具的开发过程中,并通过在实际应用中提取的一组实验数据, 来验证其可行性。
关键词:信息系统,风险评估,计算模型,风险管理,关联威胁
I
ABSTRACT
ABSTRACT
There has been more than forty years since the advent of information security technology. Over the years, people solve one safety problem after another by virtue of an increasing rich and sophisticated security technology. However, with the rapid development of information technology, the incidence of security incidents has gone far beyond any previous period. The pure, passive techniques have been unable to cope with the growing security threat. Therefore, we putted forward the idea of security risk assessment. Risk assessment consider not only technology but also management, can assess the probability of the potential danger and its losses at the base of identifying risk factors in the information system which may course security incidents to determine the risk of the system at present. For different risks, we could take different measures to make sure the system relative safe.
Risk calculation is an important prerequisite for the risk assessment and management, so in the article, on the basis of the central idea of the risk assessment, we focused on the assessment model and risk analysis calculation method based on the risk factors after introduced the current situation of risk assessment, its calculating model and some relevant speculative knowledge such as work mode, flow, standard system, assessment tools,