信息安全研究 ›› 2015, Vol. 1 ›› Issue (1): 54-59.

• 学术论文 • 上一篇    下一篇

基于GB/T 20984-2007 风险评估计算模型的研究

  

  1. 1(中山大学数据科学与计算机学院 广州 510006) 2(广州市计划生育宣传教育中心 广州 510630) 3(广州市人口信息中心 广州 510630) 4(信息技术教育部重点实验室(中山大学) 广州 510006)
  • 出版日期:2015-10-05 发布日期:2016-01-18

Research of Information Security Risk Assessment Model Based on GB/T 20984

  1. 1( School of Data Science and Computer,Sun Yet-sen University,Guangzhou 510006) 2 (Guangzhou Family Planning Publicity and Education Center,Guangzhou 510630) 3 (Guangzhou Population Information Center,Guangzhou 510630) 4(Key Laboratory of Information Technology(Sun Yat-sen University),Ministry of Education, Guangzhou 510006)
  • Online:2015-10-05 Published:2016-01-18

摘要: 互联网时代的信息安全问题已全球化,使信息安全风险评估的系统工程显得尤为重要.为贯彻信息安全风险评估标准,解决GB/T 20984--2007信息安全风险评估技术规范中信息安全风险评估计算比较模糊的问题,研究信息安全风险评估相关理论,在原有风险计算的基础上,设计和实现一种改进的信息安全风险评估计算模型.引入安全措施有效性系数,通过对风险资产的价值、威胁和脆弱性细化量化分析,根据相乘法原理计算风险值,使风险计算值更加科学和可靠,进一步明确风险控制措施对风险控制的有效性影响,为风险分析计算提出一种新的解决思路.实践证明,将评估标准与实践相结合,更好地论证了该模型的有效性.

关键词: 信息安全, 风险评估, 风险计算, 计算模型, 风险分析

Abstract: Information security has been globalized in the Internet era, which is also one ofthe socially focused concerns.It makes the information security risk assessment system particularly important. Security incidents often usedthe diversification of vulnerabilities to make the security of systems improved in the past.. Information security is dependent on the integrated system engineering involving technology and management. Risk assessment is a process which identifies the weaknesses of the information system andanalyses the threat level of eventsusing the weakness above.. At last, risk assessment need to evaluate the possibility of negative impacts for the threats. The implementary specification for risk assessmentis not specific enough, so it is necessary to refine related theory according tomore practise..Based on the original risk calculationa improved information security risk assessment model is designed in this paper.The improved assessment will solve the problem of information security risk calculation in the GB/T 20984--2007 technical specification better. . Through the analysis of the value of risk assets, threat and vulnerability of risk assets, the risk value is calculated.The value will be used to clarify the effectiveness of risk control measures.Through the risk analysis, the risk calculation value becomes more scientific and reliable, presentinga new approach to risk analysis and calculation. It has proved thatthe combination of standard for assessment and practise will prove the validity of the model better.

Key words: information security, risk assessment, risk calculation, computational model, risk analysis