共查询到20条相似文献,搜索用时 31 毫秒
1.
针对现有的企业安全风险管理中,风险处理方案的制定和管理措施的选择缺乏量化手段、手动风险分析方式耗时过长等问题,提出了一种基于马尔科夫逻辑网的信息安全风险管理方法。首先利用马尔科夫逻辑网对被评估系统组件及服务间依赖关系进行描述,进而利用马尔科夫逻辑网的边际推理模型来预估不同安全管理措施情况下的系统可用性值,从而为管理措施的选择提供了量化依据。案例研究表明,该方法能够为企业信息系统安全风险管理措施的选择提供可靠的量化依据,且方法实施简单易行。 相似文献
2.
Expected benefits of information security investments 总被引:1,自引:0,他引:1
Ideally, decisions concerning investments of scarce resources in new or additional procedures and technologies that are expected to enhance information security will be informed by quantitative analyses. But security is notoriously hard to quantify, since absence of activity challenges us to establish whether lack of successful attacks is the result of good security or merely due to good luck. However, viewing security as the inverse of risk enables us to use computations of expected loss to develop a quantitative approach to measuring gains in security by measuring decreases in risk. In using such an approach, making decisions concerning investments in information security requires calculation of net benefits expected to result from the investment. Unfortunately, little data are available upon which to base an estimate of the probabilities required for developing the expected losses. This paper develops a mathematical approach to risk management based on Kaplan–Meier and Nelson–Aalen non-parametric estimators of the probability distributions needed for using the resulting quantitative risk management tools. Differences between the integrals of these estimators evaluated for enhanced and control groups of systems in an information infrastructure provide a metric for measuring increased security. When combined with an appropriate value function, the expected losses can be calculated and investments evaluated quantitatively in terms of actual enhancements to security. 相似文献
3.
基于模糊层次分析法的信息安全风险评估 总被引:6,自引:1,他引:6
依据模糊决策理论,提出了一种结合三角模糊数和层次分析法(AHP)定量评估信息安全风险的方法。在构建信息安全风险因素递阶层次结构模型基础上,用三角模糊数表示信息安全专家判断信息,同时采用一种基于可能度的模糊互补判断矩阵排序方法对风险因素进行重要度排序,从而确定了各层次风险因素的相对权重系数和整体绝对权重系数,为信息安全风险管理决策和安全工程建设提供了依据。最后通过实例说明了算法的应用。 相似文献
4.
信息系统安全风险评估方法主要分为定性风险评估方法和定量风险评估方法,介绍了三种常用的定量风险评估方法,通过分析和研究各种方法的特点、可操作性、可行性和应用领域,指导企业、组织针对自己信息系统的特点选择适合自己的安全风险评估方法,依靠风险评估的结果使得企业、组织能够准确定位风险管理的策略、实践和工具,将安全活动的重点放在重要的问题上,选择低成本、高效益、适用的安全对策。 相似文献
5.
基于随机层次分析法的虚拟企业风险评价 总被引:1,自引:0,他引:1
分析虚拟企业风险因素的层次结构以及量化评价中的不确定性,设计了随机层次分析法(SAHP)来对其风险进行评价.在随机层次分析法中,将专家咨询法过程中的不确定性描述为随机变量,得到随机判断矩阵.进而应用随机模拟方法确定随机判断矩阵中元素的估计值.运用随机层次分析法对某虚拟企业三个备选组建方案的风险评价进行了实证分析,阐明该方法对于多指标、不确定性的最优方案选择问题是一种科学、可行的方法. 相似文献
6.
从信息安全风险评估的原理和研究现状入手,提出了基于层次分析法(AHP)和模糊综合评判的信息安全风险评估的方法,解决了风险评估中定性指标定量评估的难点。最后给出实例,证明该方法能有效地应用于信息安全风险评估。 相似文献
7.
The assessment of expertise is vital both in practical situations that call for expert judgment and in theoretical research on the psychology of experts. It can be difficult, however, to determine whether a judge is in fact performing expertly. Our goal was to develop an empirical measure of expert judgment. We argue that two necessary characteristics of expertise are discrimination of the various stimuli in the domain and consistent treatment of similar stimuli. We combine measures of these characteristics to form a ratio we call the Cochran-Weiss-Shanteau (CWS) index of expertise. The proposed index was demonstrated using two studies that distinguished experts from nonexperts based on their judgmental performance. The index provides new insights into expertise and offers a partial definition of expertise that may be useful in a variety of theoretical and applied settings. Potential applications of this research include selection, training, and evaluation of experts and of expert-machine systems. 相似文献
8.
9.
10.
To improve organisational safety and enhance security efficiency, organisations seek to establish a culture of security that provides a foundation for how employees should approach security. There are several frameworks and models that provide a set of requirements for forming security cultures; however, for many organisations, the requirements of the frameworks are difficult to meet, if not impossible. In this research, we take a different perspective and focus on the core underlying competencies that high-reliability organisations (HROs) have shown to be effective in achieving levels of risk tolerance consistent with the goals of a security culture. In doing so we draw on high-reliability theory to develop a Security Culture Model that explains how a firm's supportive and practical competencies form its organisational security culture. To refine and test the model, we conducted a developmental mixed-method study using interviews and survey data with professional managers involved in the information security (InfoSec) programs within their respective HROs. Our findings emphasise the importance of an organisation's supportive and practical competencies for developing a culture of security. Our results suggest that organisations' security cultures are a product of their InfoSec practices and that organisational mindfulness, top management involvement and organisational structure are key to the development of those practices. 相似文献
11.
重点研究IT审计中的信息安全审计,对信息安全审计技术按照不同的审计角度和实现技术进行分类,并在不同的实现方式间进行比较。最后提出一种实现全面审计系统的方式,为实际使用中综合应用不同产品实现企业内部信息安全审计提供了一种实用的方法。 相似文献
12.
13.
Most of the research in the area of expert finding focuses on creating and maintaining centralized directories of experts' profiles, which users can search on demand. However, in a distributed multiagent-based software environment, the autonomous agents are free to develop expert models or model fragments for their own purposes and from their viewpoints. Therefore, the focus of expert finding is shifting from the collection at one place as much data about a expert as possible to accessing on demand from various agents whatever user information is available at the moment and interpreting it for a particular purpose. This paper outlines purpose-based expert modeling as an approach for finding an expert in a multiagent portfolio management system in which autonomous agents develop expert agent models independently and do not adhere to a common representation scheme. This approach aims to develop taxonomy of purposes that define a variety of context-dependent user modeling processes, which are used by the users' personal agents to find appropriate expert agents to advise users on investing strategies. 相似文献
14.
With the proliferation of mobile devices and the growing necessity for gender information in personalized intelligent systems, gender prediction of mobile users has become an important research issue. Text data in mobile devices are known to have high discriminative power for gender, but transmitting those data to the outside of a device has a security risk and raises a privacy concern of users. This study introduces an on-device gender prediction framework, by which the entire data analysis is performed inside a device minimizing the privacy risk. To cope with the resource limitation of mobile devices, gender information of a user is predicted by matching the user’s mobile text data against gender representative wordsets which are constructed from web documents using a word evaluation measure. From the experiments conducted on real-world datasets, the effectiveness of the proposed framework was confirmed, and it was concluded that not only discriminability of a word but also popularity should be considered for the on-device gender prediction. The proposed framework is simple yet very powerful for gender prediction that its practical application to various expert and intelligent systems is possible attributed to the low computational complexity and high prediction performances. 相似文献
15.
A practical approach to enterprise IT security 总被引:1,自引:0,他引:1
《IT Professional》2001,3(5):35-42
As the Internet has matured, so have the threats to its safe use, and so must the security measures that enable its business use. Traditional piecemeal, single-layer, single-dimensional security approaches are no longer adequate. These approaches can create a false sense of security and create as many problems as they attempt to address. We propose a multifaceted framework to prevent, detect, and respond to ever more sophisticated threats to enterprise IT information and assets. We outline a practical implementation approach to building enterprise IT security mechanisms in an incremental and continuous fashion. We believe that enterprises should adopt a similar multifaceted framework, following a practical but disciplined implementation approach. Enterprises must treat IT security as a required business enabler rather than just a costly item with low priority 相似文献
16.
有效识别商业银行的敏感数据,分析敏感数据在传输与存储等过程中可能存在的泄漏风险,对于制定有针对性的数据安全保护策略有极其重要的意义。在对我国商业银行信息系统充分调研的基础上,提出一种面向安全标的的敏感数据识别方法,对商业银行应该重点保护的敏感数据进行分类识别,并采用全生命周期信息风险防范与控制的方法,分析银行金融系统由于研发过程中设计考虑不充分而导致系统运行过程中可能面临敏感数据信息泄露的风险,结合监管部门、银行行业管理规范及银行机构实际情况,提出商业银行敏感数据保护与控制的建议,为商业银行建立敏感数据安全保护控制相关管理制度和措施奠定必要的基础。 相似文献
17.
本文在分析影响信息安全风险的因素的基础上构建了信息安全风险分析的层次结构模型,提出了采用模糊层次分析法(Fuzzy-AHP)对风险进行量化分析的方法。该方法采用三角模糊数来表示基于群组决策的信息安全风险各因素的判断矩阵,并用层次分析法来对专家判断结果进行处理,为决策提供了更合理的数据。 相似文献
18.
王璐 《网络安全技术与应用》2014,(3):143-144
对涉密计算机信息安全管理体系中存在的问题进行充分的分析,参照相关的系统安全防护规范,研究制定信息安全管理体系的防护措施,并提出全新的信息安全管理体系在国土资源局中的应用方法。通过对实际工作的检验,证明信息安全管理体系的安全性与有效性,为今后工作的发展提供借鉴作用。 相似文献
19.
基于可拓集的信息安全风险评估 总被引:1,自引:0,他引:1
针对信息安全风险评估中风险要素关系复杂、评价因素难以准确度量的问题,以威胁为中心组织风险要素、建立风险评估模型并实现基于可拓集的风险评价方法。此模型应用资产、弱点和控制措施对威胁发生可能性和后果进行评估,并呈现系统风险的层次结构。基于此模型,可拓集方法将评价因素的定性表达区间化并利用区间关联函数实现定性向定量的转化,然后根据定量的风险关联度向量对系统风险做出定性的判决,从而实现系统风险的定性与定量相结合的评估。具体的实例分析表明了此方法的可行性和有效性。 相似文献
20.
《Information Security Journal: A Global Perspective》2013,22(4-6):177-184
ABSTRACTTo protect the information assets of any organization, management must rely on accurate information security risk management. Management must access the risk to the organizations assets then develop information security strategies to reduce the risks. This assessment is difficult because of rapidly changing technology and new threats that are frequently being discovered. Research to address methods associated with information security risk management includes quantitative and qualitative methods. More comprehensive approaches combine both the quantitative and qualitative methods. This paper argues that current methods of information security assessment are flawed because management decisions regarding information security are often based on heuristics and optimistic perceptions. 相似文献