文档介绍:毛捍东1 陈锋张维明黄金才
(国防科技大学管理科学与工程系长沙 410073)
handmao@
摘要
在信息安全领域,对信息系统进行风险评估十分重要,其最终目的就是要指导决策者在“投资成本”和“安全级别”这两者之间找到平衡,从而为等级化的资产风险制定保护策略和缓和计划。信息安全风险评估方法经历了从手动评估到半自动化评估的阶段,现在正在由技术评估向整体评估发展,由定性评估向定性和定量评估相结合的方法发展,由基于知识的评估向基于模型的评估方法发展。该文阐述了信息安全风险评估所要解决的问题,介绍了目前在信息安全风险评估领域的主要方法以及今后的发展方向。
关键词:信息系统;风险评估;资产;威胁;脆弱性
A Survey of Information Security Risk Assessment Methods
Mao Handong, Chen Feng, Zhang Weiming, Huang Jincai
( Department of Management Science and Engineering, National University of Defense Technology Changsha 410073 )
handmao@
Abstract: Information systems risk assessment has experienced the stage of manual-to-automatic. It’s now expanding from technology assessment to holistic, from qualitative to synthetic method of qualitative and quantitative analysis, from knowledge-based to model-based. To make the prehensive and accurate, the target of assessment must be considered as a whole system with technological, organizational and personnel factors. Specifying an information system is often plicated task that demands a method that can provide both the details and the overview of the system. Modeling techniques give us the possibility to specify all aspects of the system while keeping a good overview at the same time.
Key words: Information System; risk assessment; asset; threat; vulnerability.
一、引言
信息系统已经成为人们生活中重要组成部分,人们总是希望信息系统能够带来更多的便利。但是信息系统自身以及与信息系统相连的网络环境的特点与局限性决