信息安全研究 ›› 2022, Vol. 8 ›› Issue (1): 93-.

• 技术应用 • 上一篇    下一篇

基于GB/T 31509—2015的风险评估模型设计

潘雪霖1陆佳星4张武军2 孙伟3,4   


  1. 1(广州市卫生健康技术鉴定和人才评价中心 广州 510630

    2(中山大学附属第一医院信息数据中心 广州 510000

    3(中山大学电子信息与工程学院 广州 510006

    4(信息技术教育部重点实验室(中山大学) 广州 510006

  • 出版日期:2022-01-09 发布日期:2022-01-07
  • 通讯作者: 潘雪霖 硕士. 主要研究方向为信息安全.
  • 作者简介:潘雪霖 硕士. 主要研究方向为信息安全. 389801667@qq.com. 陆佳星 硕士.主要研究方向为信息安全. jiaxingllu@163.com. 张武军 副研究员. zhangwuj@mail. sysu. edu. cn 孙伟 教授,博士生导师.主要研究方向为网络安全和 多媒体技术. sunwei@mail.sysu.edu.cn

Design of Risk Assessment Model Based on GB/T 31509—2015

  • Online:2022-01-09 Published:2022-01-07

摘要: 信息技术给人们带来便利的同时也带来了不少安全隐患,安全隐患堆积倒逼着人们安全意识的提高,从而意识到网络安全是社会安全不可或缺的部分,是国家安全重要的组成部分.安全风险评估为网络安全程度提供重要的预判依据,其中安全风险评估标准是强大的理论支撑.但是安全风险评估标准落地还需要细化,为更加客观地落实信息安全风险评估实施指南GB/T 31509—2015(以下简称“指南”),研读信息安全风险评估理论知识,遵照风险评估流程指引,我们在等级保护2.0的基础上,设计了信息安全风险评估模型.通过对信息化资产、存在脆弱性和潜在威胁分层解析和赋值,使风险值计算更加贴近实际.实践证明,层次分析后的风险评估模型更加有效地评估风险,使评估的风险值更加科学,为后续安全防护措施提供依据.

关键词: 信息安全, 风险评估, 评估标准, 层次分析, 评估模型

Abstract: Information technology not only brings convenience to people, but also brings many security risks. The accumulation of security risks forces people to improve their security awareness, so they realize that network security is an indispensable part of social security and an important part of national security. Security risk assessment provides an important prediction basis for the degree of network security, the safety risk assessment standard is a strong theoretical support. However, the implementation of safety risk assessment standards needs to be refined, in order to more objectively implement the information security risk assessment implementation guide GB/T 31509—2015(the "guide" for short), the author studied the theoretical knowledge of information security risk assessment, followed the risk assessment process guidance, and designed the information security risk assessment model on the basis of level protection 2.0. By analyzing and assigning information assets, existential vulnerability and potential threat, the calculation of risk value is closer to reality. Practice has proved that the risk assessment model after analytic hierarchy process can assess the risk more effectively, make the assessed risk value more scientific, and provide a basis for subsequent safety protection measures

Key words: information security, risk assessment, evaluation criteria,  , hierarchy analysis,  , evaluation model