| 一种基于系统安全性差距分析的风险评估尺度和方法 |
| |
| 引用本文: | 江常青,张利,林家骏,吴世忠.一种基于系统安全性差距分析的风险评估尺度和方法[J].电子学报,2006,34(B12):2556-2559. |
| |
| 作者姓名: | 江常青 张利 林家骏 吴世忠 |
| |
| 作者单位: | [1]中国信息安全产品测评认证中心,北京100089 [2]华东理工大学,上海200237 |
| |
| 摘 要: | 本文提出一种基于信息系统安全性分析来定量计算信息安全风险的度量尺度,差距分析方法及相应的评估流程.通过差距分析法,可以定量地度量信息安全目的和安全现状的在安全保障控制措施和安全保障能力两方面差距,从而改进对信息安全的分析和设计以及如何提升信息安全保障能力.通过本文定义并计算整体信息安全风险度量尺度,还可以计算不同安全控制措施的产生的安全边际效益,进行安全投入产出效益分析.这种可计算的信息安全风险评估尺度和方法的有效性在实际工程中得到应用与检验.
|
| 关 键 词: | 差距分析 安全评估 风险评估 安全度量 |
| 文章编号: | 0372-2112(2006)12A-2556-04 |
| 收稿时间: | 2006-09-08 |
| 修稿时间: | 2006-09-082006-12-05 |
A System Security Gap Analysis Based Risk Assessment Metric and Method |
| |
| JIANG Chang-qing, ZHANG Li, LIN Jia-jun, WU Shi-zhong.A System Security Gap Analysis Based Risk Assessment Metric and Method[J].Acta Electronica Sinica,2006,34(B12):2556-2559. |
| |
| Authors: | JIANG Chang-qing ZHANG Li LIN Jia-jun WU Shi-zhong |
| |
| Affiliation: | 1. China Information Technology Security Certification Center, Beijing 100089, China ; 2. East-China University of Science and Technology, Shanghai 200237, China |
| |
| Abstract: | This paper propose a quantitative information security risk metric based on information system security analysis, gap analysis method and its assessment procedure, Through security gap analysis method, we can compute quantitatively the difference between security target and TOE security in security assurance control and security assurance capability, and then improve the information system security architecture design and its assurance level. Using the metric, we can also compare the benefit difference among security contols, and calculate the input-output analysis. This computable information security risk assessment metric and method was applied in real case and proved effective. |
| |
| Keywords: | gap analysis security assessment risk assessment security metric |
| 本文献已被 维普 等数据库收录! |
|
