检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
机构地区:[1]重庆邮电大学计算机科学与技术学院,重庆400065 [2]北京印刷学院计算机科学系,北京102600 [3]华中师范大学计算机科学系,武汉430079
出 处:《武汉理工大学学报》2009年第18期43-45,共3页Journal of Wuhan University of Technology
基 金:重庆邮电大学博士启动基金
摘 要:信息安全风险评估通过对资产、弱点、控制措施和威胁4个风险要素的识别与评估的综合获取被评估系统的风险值或风险级别,这4个风险要素之间存在复杂的关系,给风险评估的实施带来困难。依据最新的国际、国内风险评估标准,提出一个基本的3层评估体系结构和以威胁为中心的风险评估模型,将其他风险要素的评估结果统一到威胁风险评估中,清晰呈现了4个风险要素之间的关系,并适合于定性、定量或综合评估方法的实现。另外,3层体系结构也能用于实现不同细节层次上的风险评估的迭代循环。最后给出了模糊理论评价法在此模型中的具体实现。In information security risk assessment, risk value or level of information system is evaluated by integrating results of identification and assessment for four risk factors-assets, vulnerabilities, control measures and threats, and complex relationships between the four risk factors lead to difficulties in the implementation of risk assessment. Based on the latest domestic and international risk assessment standards, a basic there-tier architecture and threat-centric risk assessment model are proposed. In the model, assessment resuits of the other risk factors are integrated into process of threat risk assessment, relationships between the four risk factors are clearly displayed, and the qualitative, quantitative or comprehensive assessment methods are also easy to be implemented. In addition, the there-tier architecture can be used to carry out the iterative cycle of risk assessment on different levels of detail. As an example, implementation of the fuzzy evaluation method is discussed in the model.
关 键 词:信息安全 信息安全风险评估 威胁 模糊理论评价法
分 类 号:TP393[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.3