马尔科夫逻辑网在信息安全风险管理中的应用

针对现有的企业安全风险管理中,风险处理方案的制定和管理措施的选择缺乏量化手段、手动风险分析方式耗时过长等问题,提出了一种基于马尔科夫逻辑网的信息安全风险管理方法。首先利用马尔科夫逻辑网对被评估系统组件及服务间依赖关系进行描述,进而利用马尔科夫逻辑网的边际推理模型来预估不同安全管理措施情况下的系统可用性值,从而为管理措施的选择提供了量化依据。案例研究表明,该方法能够为企业信息系统安全风险管理措施的选择提供可靠的量化依据,且方法实施简单易行。     

Expected benefits of information security investments

Ideally, decisions concerning investments of scarce resources in new or additional procedures and technologies that are expected to enhance information security will be informed by quantitative analyses. But security is notoriously hard to quantify, since absence of activity challenges us to establish whether lack of successful attacks is the result of good security or merely due to good luck. However, viewing security as the inverse of risk enables us to use computations of expected loss to develop a quantitative approach to measuring gains in security by measuring decreases in risk. In using such an approach, making decisions concerning investments in information security requires calculation of net benefits expected to result from the investment. Unfortunately, little data are available upon which to base an estimate of the probabilities required for developing the expected losses. This paper develops a mathematical approach to risk management based on Kaplan–Meier and Nelson–Aalen non-parametric estimators of the probability distributions needed for using the resulting quantitative risk management tools. Differences between the integrals of these estimators evaluated for enhanced and control groups of systems in an information infrastructure provide a metric for measuring increased security. When combined with an appropriate value function, the expected losses can be calculated and investments evaluated quantitatively in terms of actual enhancements to security.     

基于模糊层次分析法的信息安全风险评估

依据模糊决策理论,提出了一种结合三角模糊数和层次分析法(AHP)定量评估信息安全风险的方法。在构建信息安全风险因素递阶层次结构模型基础上,用三角模糊数表示信息安全专家判断信息,同时采用一种基于可能度的模糊互补判断矩阵排序方法对风险因素进行重要度排序,从而确定了各层次风险因素的相对权重系数和整体绝对权重系数,为信息安全风险管理决策和安全工程建设提供了依据。最后通过实例说明了算法的应用。     

信息系统安全风险评估定量方法比较研究

信息系统安全风险评估方法主要分为定性风险评估方法和定量风险评估方法,介绍了三种常用的定量风险评估方法,通过分析和研究各种方法的特点、可操作性、可行性和应用领域,指导企业、组织针对自己信息系统的特点选择适合自己的安全风险评估方法,依靠风险评估的结果使得企业、组织能够准确定位风险管理的策略、实践和工具,将安全活动的重点放在重要的问题上,选择低成本、高效益、适用的安全对策。     

基于随机层次分析法的虚拟企业风险评价

分析虚拟企业风险因素的层次结构以及量化评价中的不确定性,设计了随机层次分析法(SAHP)来对其风险进行评价.在随机层次分析法中,将专家咨询法过程中的不确定性描述为随机变量,得到随机判断矩阵.进而应用随机模拟方法确定随机判断矩阵中元素的估计值.运用随机层次分析法对某虚拟企业三个备选组建方案的风险评价进行了实证分析,阐明该方法对于多指标、不确定性的最优方案选择问题是一种科学、可行的方法.     

基于AHP和模糊综合评判的信息安全风险评估

从信息安全风险评估的原理和研究现状入手,提出了基于层次分析法（AHP）和模糊综合评判的信息安全风险评估的方法,解决了风险评估中定性指标定量评估的难点。最后给出实例,证明该方法能有效地应用于信息安全风险评估。     

Empirical assessment of expertise

The assessment of expertise is vital both in practical situations that call for expert judgment and in theoretical research on the psychology of experts. It can be difficult, however, to determine whether a judge is in fact performing expertly. Our goal was to develop an empirical measure of expert judgment. We argue that two necessary characteristics of expertise are discrimination of the various stimuli in the domain and consistent treatment of similar stimuli. We combine measures of these characteristics to form a ratio we call the Cochran-Weiss-Shanteau (CWS) index of expertise. The proposed index was demonstrated using two studies that distinguished experts from nonexperts based on their judgmental performance. The index provides new insights into expertise and offers a partial definition of expertise that may be useful in a variety of theoretical and applied settings. Potential applications of this research include selection, training, and evaluation of experts and of expert-machine systems.     

信息安全风险评估专家系统技术研究

为了提高国防信息安全保障能力,改变当前风险评估在单点评价上累加的局限,结合风险评估和人工智能技术的研究成果,提出了一种将专家系统技术用于风险综合测评的方法.通过引入基于规则的专家系统技术,将评价标准转化成规则固化在知识库中,在完成现场采集数据的事实化后,通过知识选取算法调用规则,完成推理计算.在资产风险评价的基础上,实现了对安全域中信息系统安全风险的综合评估,并通过实时监测和对比分析,适时启动推理机,完成了综合评估过程的自动化.     

面向风险评估的专家权重自适应调整方法

信息资产评估是信息安全风险评估技术重要的研究内容之一。目前,其在资产评估中主要采用专家评估与专家权重相结合的评估量化方法,然而该方法在实际应用中却面临如何科学确定专家权重以降低偏差较大评估意见对整体评估结果影响的问题。针对该问题,提出了一种基于专家偏离度的权重自适应调整评估方法,能够合理地减小专家主观性给出的异常评估值对评估的影响。最后实现算法并通过 实验 验证算法的有效性。结果表明该方法能够合理减小异常评估值对评估的影响。     

Peering through the lens of high-reliability theory: A competencies driven security culture model of high-reliability organisations

To improve organisational safety and enhance security efficiency, organisations seek to establish a culture of security that provides a foundation for how employees should approach security. There are several frameworks and models that provide a set of requirements for forming security cultures; however, for many organisations, the requirements of the frameworks are difficult to meet, if not impossible. In this research, we take a different perspective and focus on the core underlying competencies that high-reliability organisations (HROs) have shown to be effective in achieving levels of risk tolerance consistent with the goals of a security culture. In doing so we draw on high-reliability theory to develop a Security Culture Model that explains how a firm's supportive and practical competencies form its organisational security culture. To refine and test the model, we conducted a developmental mixed-method study using interviews and survey data with professional managers involved in the information security (InfoSec) programs within their respective HROs. Our findings emphasise the importance of an organisation's supportive and practical competencies for developing a culture of security. Our results suggest that organisations' security cultures are a product of their InfoSec practices and that organisational mindfulness, top management involvement and organisational structure are key to the development of those practices.     

信息安全审计的应用研究

重点研究IT审计中的信息安全审计,对信息安全审计技术按照不同的审计角度和实现技术进行分类,并在不同的实现方式间进行比较。最后提出一种实现全面审计系统的方式,为实际使用中综合应用不同产品实现企业内部信息安全审计提供了一种实用的方法。     

基于AES改进算法的企业级数据库安全策略

随着企业信息化的不断发展,企业数据存储和信息安全问题越发突出,企业级数据库的信息安全问题成为新的热门研究方向。本文针对企业级数据信息的数据篡改和伪造等数据库安全问题,改进了AES的加密算法,提出了用于提高企业级数据库安全性的数据库加密策略。并针对实际的数据库系统对该改进算法进行了实验,加密效果显著。     

Purpose-Based Expert Finding in a Portfolio Management System

Most of the research in the area of expert finding focuses on creating and maintaining centralized directories of experts' profiles, which users can search on demand. However, in a distributed multiagent-based software environment, the autonomous agents are free to develop expert models or model fragments for their own purposes and from their viewpoints. Therefore, the focus of expert finding is shifting from the collection at one place as much data about a expert as possible to accessing on demand from various agents whatever user information is available at the moment and interpreting it for a particular purpose. This paper outlines purpose-based expert modeling as an approach for finding an expert in a multiagent portfolio management system in which autonomous agents develop expert agent models independently and do not adhere to a common representation scheme. This approach aims to develop taxonomy of purposes that define a variety of context-dependent user modeling processes, which are used by the users' personal agents to find appropriate expert agents to advise users on investing strategies.     

An on-device gender prediction method for mobile users using representative wordsets

With the proliferation of mobile devices and the growing necessity for gender information in personalized intelligent systems, gender prediction of mobile users has become an important research issue. Text data in mobile devices are known to have high discriminative power for gender, but transmitting those data to the outside of a device has a security risk and raises a privacy concern of users. This study introduces an on-device gender prediction framework, by which the entire data analysis is performed inside a device minimizing the privacy risk. To cope with the resource limitation of mobile devices, gender information of a user is predicted by matching the user’s mobile text data against gender representative wordsets which are constructed from web documents using a word evaluation measure. From the experiments conducted on real-world datasets, the effectiveness of the proposed framework was confirmed, and it was concluded that not only discriminability of a word but also popularity should be considered for the on-device gender prediction. The proposed framework is simple yet very powerful for gender prediction that its practical application to various expert and intelligent systems is possible attributed to the low computational complexity and high prediction performances.     

A practical approach to enterprise IT security

As the Internet has matured, so have the threats to its safe use, and so must the security measures that enable its business use. Traditional piecemeal, single-layer, single-dimensional security approaches are no longer adequate. These approaches can create a false sense of security and create as many problems as they attempt to address. We propose a multifaceted framework to prevent, detect, and respond to ever more sophisticated threats to enterprise IT information and assets. We outline a practical implementation approach to building enterprise IT security mechanisms in an incremental and continuous fashion. We believe that enterprises should adopt a similar multifaceted framework, following a practical but disciplined implementation approach. Enterprises must treat IT security as a required business enabler rather than just a costly item with low priority     

商业银行敏感数据识别与风险分析

有效识别商业银行的敏感数据,分析敏感数据在传输与存储等过程中可能存在的泄漏风险,对于制定有针对性的数据安全保护策略有极其重要的意义。在对我国商业银行信息系统充分调研的基础上,提出一种面向安全标的的敏感数据识别方法,对商业银行应该重点保护的敏感数据进行分类识别,并采用全生命周期信息风险防范与控制的方法,分析银行金融系统由于研发过程中设计考虑不充分而导致系统运行过程中可能面临敏感数据信息泄露的风险,结合监管部门、银行行业管理规范及银行机构实际情况,提出商业银行敏感数据保护与控制的建议,为商业银行建立敏感数据安全保护控制相关管理制度和措施奠定必要的基础。     

FAHP方法在信息安全风险评估中的研究

本文在分析影响信息安全风险的因素的基础上构建了信息安全风险分析的层次结构模型，提出了采用模糊层次分析法（Fuzzy-AHP）对风险进行量化分析的方法。该方法采用三角模糊数来表示基于群组决策的信息安全风险各因素的判断矩阵，并用层次分析法来对专家判断结果进行处理，为决策提供了更合理的数据。     

涉密计算机信息安全管理体系在国土资源局中的设计与实现

对涉密计算机信息安全管理体系中存在的问题进行充分的分析,参照相关的系统安全防护规范,研究制定信息安全管理体系的防护措施,并提出全新的信息安全管理体系在国土资源局中的应用方法。通过对实际工作的检验,证明信息安全管理体系的安全性与有效性,为今后工作的发展提供借鉴作用。     

基于可拓集的信息安全风险评估

针对信息安全风险评估中风险要素关系复杂、评价因素难以准确度量的问题,以威胁为中心组织风险要素、建立风险评估模型并实现基于可拓集的风险评价方法。此模型应用资产、弱点和控制措施对威胁发生可能性和后果进行评估,并呈现系统风险的层次结构。基于此模型,可拓集方法将评价因素的定性表达区间化并利用区间关联函数实现定性向定量的转化,然后根据定量的风险关联度向量对系统风险做出定性的判决,从而实现系统风险的定性与定量相结合的评估。具体的实例分析表明了此方法的可行性和有效性。     

Potential Problems with Information Security Risk Assessments

ABSTRACT

To protect the information assets of any organization, management must rely on accurate information security risk management. Management must access the risk to the organizations assets then develop information security strategies to reduce the risks. This assessment is difficult because of rapidly changing technology and new threats that are frequently being discovered. Research to address methods associated with information security risk management includes quantitative and qualitative methods. More comprehensive approaches combine both the quantitative and qualitative methods. This paper argues that current methods of information security assessment are flawed because management decisions regarding information security are often based on heuristics and optimistic perceptions.