一种信息系统安全风险的灰色模糊综合评估方法

针对信息系统安全风险因素的灰色性和模糊性,以及信息安全风险评估过程中存在的主观性,将灰色统计评估法、模糊综合评判法和层次分析法结合,建立一种信息系统安全风险的灰色模糊综合评估模型.通过灰色统计法建立模糊隶属度矩阵,层次分析法确定风险因素权重,以此来评估量化系统风险,该方法能较好地量化评估信息系统安全风险.     

大型活动无线电通信安全保障初探

随着我国经济建设深入发展,各级党委、政府举办的大型外事、招商和体育等活动越来越多,无线电监测和无线电波净空测试也越来越频繁.为党委、政府举办大型活动提供无线电通信安全保障,是无线电管理系统的重要工作,更是无线电监测部门的重要任务.笔者结合近年来通信安全保障实践,参考借鉴业内成功经验,对大型活动无线电通信安全保障进行了粗浅的思考和探讨.     

云数据安全风险检测研究

近年来,随着我国的云平台的大力发展,云平台计算能力越来越强,云数据的存储量也越来越大。但是值得注意的是,科学技术进步的同时也为数据安全带来了新的威胁与挑战。由于云平台的用户间有着大量的数据交互,因此这个过程中必然存在一系列的安全风险问题,本文主要分析云数据安全风险现状以及风险检测方法,探讨如何有效地规避云数据风险,保障云数据的安全。     

云计算技术安全风险评估研究

云计算基于开放的互联网,使得其面临众多安全风险问题,为使风险控制在可接受范围,评估是十分必要的。云计算风险因素复杂多样,用德尔菲法建立云计算技术安全风险评估指标体系,凝练了云计算环境下技术风险的主要因素,并用模糊集与熵权理论对其进行评估。通过实例分析,验证了该方法是可行的、有效的。     

物联网云服务中API滥用的风险分析与检测

近年来,物联网技术的蓬勃发展带动了智能家居应用的快速发展,越来越多的智能家居平台开放各种应用程序接口,以方便用户实现自定义的智能家居应用,如设备联动控制.然而,这些开放接口中存在的安全缺陷也成为影响智能家居系统安全的重要因素之一.本文针对SmartThings智能家居平台的开放接口进行研究,发现了一系列新的具有安全缺陷的接口,并通过概念验证实验证实了其安全风险.为提升智能家居平台的安全性,设计并实现了检测智能家居云服务中接口滥用行为的工具SmartNotify.实验结果表明, SmartNotify能快速且准确地识别利用安全缺陷接口进行攻击的智能家居应用.     

一种风险评估和等级防护相结合的信息风险预测系统

信息安全问题越来越严重,仅仅依靠单一的产品预防根本无法安全有效地保护公司网络信息系统。对此设计一套应用于公司安全风险等级评估系统。风险评估是按照国家有关标准、规范,从信息系统的完整性、保密性及可用性等因素进行综合分析的过程。它和等级保护相结合成为一种有效的风险分析手段。该系统基于等级测评和风险评估相结合的理论,通过建立信息资产风险库,将信息风险和对应的风险等级建立连接。通过对公司信息进行相应的监测,自动测算出每一个系统的风险概率,并提出相应的风险预防措施。整个软件平台经多次测试结果表明,系统运行达到应有的效果。     

基于熵权系数法的信息安全模糊风险评估

信息安全风险分析中存在大量模糊、不确定性影响因素,以往的信息安全风险综合分析方法如PRA分析法需要收集到精确全面的评估数据,通过故障树分析信息系统被攻击的原因,建立风险计算模型定量计算系统风险,此方法过于繁琐,不易对信息系统风险进行准确的量化.针对此问题,文中通过对信息系统风险影响因素的识别与分析,构建反映信息安全风险影响因素及它们相互关系的风险评估指标体系,并应用多级模糊综合评判法对风险评估指标进行多层量化评估,同时利用信息熵定量计算各风险影响因素的权重,克服了直接赋值的主观性.该方法能较好地量化评估信息系统风险,方便计算出信息系统总的风险值.     

基于SOA和ESB的安全生产管控系统软件架构设计与应用

随着计算机应用的不断推广,计算机应用系统的规模越来越大,系统的复杂度也越来越高,为了降低软件系统开发技术风险,人们开始专注软件系统架构的应用研究。为了解决电厂安全生产管理的信息化和作业过程管控,以及系统集成、信息异构和数据整合所存在的一些问题,提出一种基于SOA和ESB的分布多层软件架构解决方案,构建了电厂安全管控系统,实现电厂安全生产管理的信息化和作业过程管理,为企业提供系统集成异构和应用业务扩展开发的技术平台。     

一种安全操作系统风险评估模型

针对安全操作系统风险管理难以进行定量评判的问题,提出一种适用于安全操作系统风险等级定量评估的模型。通过引入风险矩阵法,将信息安全风险评估归纳为以专家矩阵、Borda法则和层次分析法为评估流程的风险等级评估模型,实现安全操作系统风险等级的定量评估,增强评估操作系统风险等级的客观性。通过实例应用对评估模型进行验证,结果表明该模型能有效评估出安全操作系统的风险等级。     

计算机网络系统安全维护策略探析

近年来,我国计算机网络技术的发展日新月异,软件研发工作日益增加,计算机智能化程度越来越高,整体性能取得较大的进步。因此,人们越来越依赖计算机网络技术,倾向于通过计算机网络系统来获取信息及发表自身的意见及看法。计算机网络系统为人们的日常生活、平时工作及资料学习提供较多的便利,但网络系统在运行过程中,也面临着一定的风险,存在一些安全问题。本文分析了对计算机网络系统进行安全维护的重要意义,进一步探讨威胁计算机网络系统安全的主要因素,提出一些维护策略及操作方式以供参考,以期为计算机系统网络安全做出一定的贡献。     

工控设备的安全保密风险评估实践

近期披露的信息安全事件表明,工控系统已经成为国外信息安全攻击的主要目标,必须加强工控系统的信息安全防护。工控系统与办公系统不同,系统中使用智能设备、嵌入式操作系统和各种专用协议,尤其是智能设备具有集成度高、行业性强、内核不对外开放、数据交互接口无法进行技术管控等特点,工控系统的安全风险评估方法、标准还在不断探索中。本文介绍工控设备安全保密风险评估模型和评估流程,以数控设备840D为例,进行工控设备的安全保密风险评估,围绕工控设备全生命周期给出了安全保密防护和检测的建议。     

分布式虚拟陷阱网络的设计与实现

目前大部分安全技术被设计用来阻止未授权的可疑行为获取资源,同时案例工具是作为一种防御措施被布置,所以它们对网络的保护有限。本文在分析国内外研究现状的基础上,针对现有网络安全工具在入侵检测以及防护等方面的不足,设计和实现了分布式虚拟陷阱系统。该系统所分布的代理由混合Honeynet和低交互的Honeypot构成,降低了Hooneypot固有的风险,增加了模拟的真实性,弥补了现有各类Homeypot的不足。系统作为一种动态安全防御机制,可以有效地提高大规模网络的錾体安全性,是传统童例机制的有力补充．     

基于STAMP模型的风险评估行为安全指标体系

现有的风险评估方法与模型在设计上未充分考虑风险评估行为本身对评估结果的影响,对风险评估的行为可能引入安全性风险的认识也存在较大不足。针对这个问题,首先建立风险评估行为STAMP模型,使用STPA分析方法对风险评估行为进行安全性分析,利用STAMP模型构建风险评估行为安全指标体系,并采用改进AHP方法筛选出重要指标因素。所提出的安全指标体系关注系统整体的涌现性而非单个组件的可靠性,根据造成系统安全事故发生或进入危险状态的原因,提供一种能够更加有效的构建安全指标体系的思路。     

煤矿安全风险防控及预警系统设计

针对目前煤矿安全风险防控缺乏体系化、时效性差、被动响应等问题,设计了一种煤矿安全风险防控及预警系统。该系统以煤矿安全风险库为基础,利用风险地图实现风险状态变化各环节的动态监视;根据异常事件等级进行分级消息推送及现场异常联动处置,提高了异常事件响应及处置效率;利用安全网格细化风险防控的空间粒度,实现安全网格-作业区域-全矿的安全指数及安全等级评估,有效落实了各级安全管理层的主体责任。该系统有助于煤矿建立全方位、多重安全风险分级防控体系,有效提升了煤矿安全生产保障能力。     

Risk assessment and resilience of critical communication infrastructure in railways

This paper discusses the significant findings of an extended risk assessment of the key communication infrastructure used in emergency communication in railways in Norway. The initial risk assessment was performed in 2008. Resilience was explored as a strategy in the risk assessment to improve safety, security, and quality of service. We have reviewed the results in 2010, documenting mitigating actions and the effect of the actions. In addition, the development of safety and security culture has been evaluated. The risk assessment was based on a socio-technical approach, which considers technical, organizational, and human factors. Action research was used as a method to improve the scope and commitment of the risk assessment. It is suggested that organizational collaboration supported by the action research approach has aided in prioritizing the key mitigating actions, based on improved understanding and commitment. The high stability of the GSM-R system has supported safety of operations in the period. One of the identified unwanted incidents occurred in 2010 and gave credibility to the risk assessment. The risk assessment process seems to have sustained the safety and security culture and improved the knowledge of emergency response supporting resilience. The resilience of the total system seems to have been improved. The main contributions of this article are the empirical results of a risk assessment extended with resilience and suggested indicators related to resilience. In addition, it is suggested that exploration of resilience and action research improves the quality and effect of the risk assessment. Risk assessments in a complex setting with uncertainty should explore resilience as a strategy and explore action research to improve understanding and learning among the stakeholders.     

Risk perception of construction equipment operators on construction sites of Turkey

Turkey has been an attractive country for construction industry in the last decade. Many large-scale construction projects, which have been realized by both international and local construction firms, helped the economy and provided employment opportunities for many. At the same time, many construction workers have been losing their lives on construction sites, which involve the usage of heavy equipment on a daily basis.Past research studies suggest that employee participation and their perception of safety risks could be valuable for determining and eliminating hazards on construction site. Therefore, this study aimed to determine and evaluate the risk perception of construction equipment operators in Turkey. The study is mainly based on a questionnaire survey performed in 51 construction projects that involved 198 heavy equipment operators. A statistical analysis was first performed on the results of the survey to observe the frequency distribution of parameters, such as safety and health training, using flagger, experience, type of equipment, working conditions and other project related data. Then, statistical methods such as, t-test, ANOVA analysis, Kruskall–Wallis one way analysis of variance, and Mann–Whitney U test were performed to seek statistically meaningful differences in risk perception of operator groups with different attributes.Results revealed the importance of safety and health training as well as working with an assistant, such as a flagger. It was observed that operators who took safety and health training and operators who worked with flaggers perceived risk differently than others. It was also found that the project type influences the risk perception of equipment operators due to diversity of construction equipment activities performed, as well as number of incidents occurred in those projects.Relevance to industryThe authors expect this research to lead to discussion and further research on risk assessment for construction industry. The risk assessment findings of this study, in particular, could help the safety professionals detect possible unforeseen risks and design safety and health plans for construction sites that require usage of heavy equipment on a daily basis. Heavy equipment manufacturers could also devise a similar research that involves operators’ risk perception to design more ergonomic and safe equipment.     

基于风险因子的信息安全风险评估方法研究

为了减少主观性和客观性因素对于信息安全风险评估的影响,研究了信息安全风险评估的一些主流方法.参考风险评估的基本要素的定义,提出了风险因子的概念和基本要素.对风险因子的基本要素进行了定义和解释说明,设计了一种基于风险因子的风险评估模型.该模型将系统风险分解为若干风险因子,由专家对风险因子的基本要素进行评价,计算出风险因子的风险度.对风险度进行二次模糊化后构造隶属举证,并运用熵系数法求出各个风险因子的权重,进而计算出风险等级.最后给出一个实例证明了模型的科学性和合理性.     

信息系统风险评估方法的研究

在信息安全领域,风险评估是建立信息系统安全体系的基础和前提,而风险评估方法对评估的有效性起着举足轻重的作用.风险评估方法有很多种,每种方法都有其不足之处.设计的风险评估方法采用威胁树模型和层次分析法相结合的方式,利用两种评估方法的优势,弥补了单一风险评估方法的不足,旨在探讨一种更有效、更合理、更准确的风险评估方法.     

The development of audit detection risk assessment system: Using the fuzzy theory and audit risk model

The result of audit designation is significantly influenced by the audit evidence collected when planning the audit and the amount of audit evidence depends on the degree of detection risk. Therefore, when the assessment factors of detection risk are more objective and correct, audit costs and the risk of audit failure can be reduced. Thus, the aim of this paper is to design an audit detection risk assessment system that could more precisely assess detection risk, comparing with the traditional determination method of detection risk in order to increase the audit quality and reduce the possibility of audit failure. First of all, the grounded theory is used to reorganize 53 factors affecting detection risk mentioned in literatures and then employed the Delphi method to screen the 43 critical risk factors agreed upon by empirical audit experts. In addition, using the fuzzy theory and audit risk model to calculate the degree of detection risk allow the audit staff to further determine the amount of audit evidence collected and set up initial audit strategies and construct the audit detection risk assessment system. Finally, we considered a case study to evaluate the system in terms of its feasibility and validity.     

基于PRA方法风险评价系统的设计与研究*

针对动态系统安全性分析的需要,设计并实现了一个新的风险评价系统.该系统在PRA方法的基础上,在风险评估过程中综合运用多种动态系统的安全性建模和危险分析技术,能够较好地适应动态系统风险评估的需求.