基于AHP-FCE的数字安防系统风险评估研究与应用  

作　　者：陆正卿 方维岚 袁晓萌 周志洪[2,3] 银鹰 侍国亮 LU Zhengqin;FANG Weilan;YUAN Xiaomeng;ZHOU Zhihong;YIN Ying;SHI Guoliang(Shanghai Tobacco Group Co.,Ltd.,Shanghai 200082,China;Institute of Cyber Security Technology,School of Electronic Information andElectrical Engineering,Shanghai Jiaotong University,Shanghai 200240,China;Shanghai Key Laboratory of Information Security IntegratedManagement Technology Research,Shanghai 200240,China)

机构地区：[1]上海烟草集团有限责任公司,上海200082 [2]上海交通大学电子信息与电气工程学院网络安全技术研究院,上海200240 [3]上海市信息安全综合管理技术研究重点实验室,上海200240

出　　处：《中国高新科技》2024年第18期148-152,共5页

摘　　要：数字安防系统的网络安全风险评估通常受多种不确定性因素的影响,为有效降低评估过程中专家主观因素和其他不确定性因素对评估结果造成的影响,提出一种基于层次分析法(Analytic Hierarchy Process,AHP)的网络安全风险评估方法,并将其应用于烟草集团的数字安防系统的风险评估实践。分析数字安防系统结构及其安全威胁;研究数字安防系统的安全事件的产生机制,遵循《信息安全技术信息安全风险评估方法》(GB/T 20984—2022),在问卷调查、访谈交流以及扫描和渗透的基础上,采用一个包括6个二级指标和12个三级指标,构建了网络安全风险评估指标体系。基于AHP确定各指标的权重、运用模糊综合评价法(FCE)获取各个指标的综合评价结果,将不确定性因素纳入安全事件发生概率的计算,通过安全事件发生概率及其损失计算出数字安防系统的风险值;基于yaahp软件对所提方法进行建模以及风险评估试验验证,提高了评价结果的真实性和有效性。The network security risk assessment of digital security systems is usually affected by a variety of uncertain factors.In order to effectively reduce the impact of expert subjective factors and other uncertain factors on the assessment results during the assessment process,a method based on the Analytic Hierarchy Process(AHP)is proposed.AHP network security risk assessment method and apply it to the risk assessment practice of the Tobacco Group’s digital security system.Firstly,analyze the structure of the digital security system and its security threats;secondly,study the generation mechanism of security events in the digital security system,follow the“National Standard for Information Security Technology Information Security Risk Assessment Method”(GB/T 20984—2022),and conduct questionnaire surveys,interviews,and on the basis of scanning and penetration,a network security risk assessment index system is constructed including 6 secondary indicators and 12 third-level indicators.Determine the weight of each indicator based on the AHP,use the Fuzzy Comprehensive Evaluation(FCE)to obtain the comprehensive evaluation results of each indicator,and incorporate uncertainty factors into the calculation of the probability of security events.Through the probability of security events and their losses,the risk value of the digital security system is calculated.Finally,the proposed method is modeled and risk assessment tested based on yaahp software,which improves the authenticity and validity of the evaluation results.

关 键 词：层次分析法 模糊综合评价法 网络安全风险评估 

分 类 号：D631[政治法律—政治学]