考虑成本与要素关系的信息安全风险分析模型

针对信息安全风险评估问题,提出了同时考虑风险要素关系和控制措施作用及成本的风险分析模型.与现有研究成果相比,该风险分析模型的优势在于充分考虑威胁和脆弱性等风险要素相互关系的基础上,更加注重控制措施对威胁和脆弱性等风险要素的影响关系,同时考虑风险处理时控制措施的成本,为风险评估提供更加客观、准确的风险分析方法和有效的控制措施选择与优化策略.案例分析结果表明,利用该多目标决策风险分析模型能够有效地量化风险评估要素间的影响关系,依据控制措施的有效程度和合理成本提供客观、准确的控制措施优选排序,提高风险评估的准确性,从而为信息安全风险管理提供科学的决策依据.

Information security risk analysis model considering costs and factors relevance

Aiming at the information security risk assessment, a risk analysis model considering relevance among risk factors and controls with costs was proposed. Compared with the present research results, the proposed method not only fully considers the interrelation between the threats and vulnerabilities, but also concentrates on the influence of controls on such risk factors as threats and vulnerabilities, and simultaneously pays attention to the costs of risk treatment controls, which provides more objective and accurate method for risk assessment and effective strategy for control selection and optimization. The results of case analysis show that the proposed risk analysis model based on multi objective decision making can effectively quantize the interrelations among the risk assessment factors, provide the objective and accurate priority orders for control optimization according to the efficiency and rational costs of the controls, improve the accuracy of risk assessment, and thus provide the scientific decision making evidence for the information security risk management. 