基于D-AHP与灰色理论的信息安全风险评估
|
摘要
充分考虑评估信息不确定性对评估结果的影响,提出一种基于D数层次分析法(D-AHP)与灰色理论的信息安全风险评估方法。根据相关行业标准识别信息系统的资产、威胁、脆弱性及已有安全措施,构建评估指标体系并建立层次化结构模型。使用D-AHP方法求解各指标的影响权重,以解决评估信息不确定性问题。针对评估过程中信息资源不足的灰性特征,运用灰色理论求解灰色评价矩阵。在此基础上,对信息安全风险进行综合评估并直观显示评估结果。分析表明,该方法可利用不确定信息进行风险评估,为制定有针对性的风险管控策略提供参考。
Fully considering the influence of uncertainty of evaluation information on evaluation results,an information security risk assessment method based on D-number Analytic Hierarchy Process(D-AHP) and grey theory is proposed.According to the relevant industry standards,the assets,threats,vulnerabilities and existing security measures of information system are identified,the evaluation index system is constructed,and the hierarchical structure model is established.The D-AHP method is used to calculate the influence weights of each index to solve the uncertainty problem of the evaluation information.In view of the grey characteristics of insufficient information resources in the evaluation process,the grey theory is used to solve the grey evaluation matrix.On this basis,the information security risk is assessed comprehensively and the assessment results are displayed intuitively.Analysis show that this method can use uncertain information for risk assessment and provide reference for formulating targeted risk management and control strategies.
Fully considering the influence of uncertainty of evaluation information on evaluation results,an information security risk assessment method based on D-number Analytic Hierarchy Process(D-AHP) and grey theory is proposed.According to the relevant industry standards,the assets,threats,vulnerabilities and existing security measures of information system are identified,the evaluation index system is constructed,and the hierarchical structure model is established.The D-AHP method is used to calculate the influence weights of each index to solve the uncertainty problem of the evaluation information.In view of the grey characteristics of insufficient information resources in the evaluation process,the grey theory is used to solve the grey evaluation matrix.On this basis,the information security risk is assessed comprehensively and the assessment results are displayed intuitively.Analysis show that this method can use uncertain information for risk assessment and provide reference for formulating targeted risk management and control strategies.
引文
[1] SHAMELI-SENDI A,AGHABABAEI-BARZEGAR R,CHERIET M.Taxonomy of information security risk assessment(ISRA)[J].Computer and Security,2016,57:14-30.
[2] AGRAWAL V.A comparative study on information security risk analysis methods[J].Journal of Computers,2012,12(1):57-67.
[3] FENG Nan,WANG H J,LI Mingqiang.A security risk analysis model for information systems:causal relation-ships of risk factors and vulnerability propagation analysis[J].Information Sciences,2014,256:57-73.
[4] YU Jingjie,HU Min,WANG Peng.Evaluation and reliability analysis of network security risk factors based on D-S evidence theory[J].Journal of Intelligent and Fuzzy Systems,2018,34(2):861-869.
[5] RODRIGUEZ A,ORTEGA F,CONCEPCCION R.A method for the evaluation of risk in IT projects[J].Expert Systems with Applications,2016,45(C):273-285.
[6] 赵刚,吴天水.结合灰色网络威胁分析的信息安全风险评估[J].清华大学学报(自然科学版),2013,53(2):1761-1767.
[7] 中国国家标准化管理委员会.信息安全技术信息安全风险评估规范:GB/T 20984-2007[S].北京,[出版者不详]:2007.
[8] DEMPSTER A.Upper and lower probabilities induced by a multivalued mapping[J].Annals of Mathematical Statistics,1967,38:325-329.
[9] DENG Y.D numbers:theory and applications[J].Journal of Information and Computational Science,2012,9(9):2421-2428.
[10] HUANG Xiaozhong,WANG Ningkai,WEI Daijun.Investment decision using D numbers[C]//Proceedings of 2016 Chinese Control and Decision Conference.Washington D.C.,USA:IEEE Press,2016:4164-4167.
[11] LIU Huchen,YOU Jianxin,FAN Xiaojun,et al.Failure mode and effects analysis using D numbers and grey relational projection method[J].Expert Systems with Applications,2014,41(10):4670-4679.
[12] DENG Xinyang,HU Yong,DENG Yong.Bridge condition assessment using D numbers[J].Scientific World Journal,2014(5):358057.
[13] FAN Zong,WANG Lifang.Evaluation of university scientific research ability based on the output of sci-tech papers:a D-AHP approach[J].PLoS One,2017,12(2):e0171437.
[14] FAN Guichao,ZHONG Denghua,YAN Fugen,et al.A hybrid fuzzy evaluation method for curtain grouting efficiency assessment based on an AHP method extended by D numbers[J].Expert Systems with Applications,2016,44(C):289-303.
[15] DENG Xinyang,HU Yong,DENG Yong.Supplier selection using AHP methodology extended by D numbers[J].Expert Systems with Applications,2014,41(1):156-167.
[16] 邓聚龙.灰理论基础[M].武汉:华中科技大学出版社,2002.
[17] DENG Xinyang,DENG Yong.D-AHP method with different credibility of information[J].Soft Computing,2019,23(2):683-691.
[2] AGRAWAL V.A comparative study on information security risk analysis methods[J].Journal of Computers,2012,12(1):57-67.
[3] FENG Nan,WANG H J,LI Mingqiang.A security risk analysis model for information systems:causal relation-ships of risk factors and vulnerability propagation analysis[J].Information Sciences,2014,256:57-73.
[4] YU Jingjie,HU Min,WANG Peng.Evaluation and reliability analysis of network security risk factors based on D-S evidence theory[J].Journal of Intelligent and Fuzzy Systems,2018,34(2):861-869.
[5] RODRIGUEZ A,ORTEGA F,CONCEPCCION R.A method for the evaluation of risk in IT projects[J].Expert Systems with Applications,2016,45(C):273-285.
[6] 赵刚,吴天水.结合灰色网络威胁分析的信息安全风险评估[J].清华大学学报(自然科学版),2013,53(2):1761-1767.
[7] 中国国家标准化管理委员会.信息安全技术信息安全风险评估规范:GB/T 20984-2007[S].北京,[出版者不详]:2007.
[8] DEMPSTER A.Upper and lower probabilities induced by a multivalued mapping[J].Annals of Mathematical Statistics,1967,38:325-329.
[9] DENG Y.D numbers:theory and applications[J].Journal of Information and Computational Science,2012,9(9):2421-2428.
[10] HUANG Xiaozhong,WANG Ningkai,WEI Daijun.Investment decision using D numbers[C]//Proceedings of 2016 Chinese Control and Decision Conference.Washington D.C.,USA:IEEE Press,2016:4164-4167.
[11] LIU Huchen,YOU Jianxin,FAN Xiaojun,et al.Failure mode and effects analysis using D numbers and grey relational projection method[J].Expert Systems with Applications,2014,41(10):4670-4679.
[12] DENG Xinyang,HU Yong,DENG Yong.Bridge condition assessment using D numbers[J].Scientific World Journal,2014(5):358057.
[13] FAN Zong,WANG Lifang.Evaluation of university scientific research ability based on the output of sci-tech papers:a D-AHP approach[J].PLoS One,2017,12(2):e0171437.
[14] FAN Guichao,ZHONG Denghua,YAN Fugen,et al.A hybrid fuzzy evaluation method for curtain grouting efficiency assessment based on an AHP method extended by D numbers[J].Expert Systems with Applications,2016,44(C):289-303.
[15] DENG Xinyang,HU Yong,DENG Yong.Supplier selection using AHP methodology extended by D numbers[J].Expert Systems with Applications,2014,41(1):156-167.
[16] 邓聚龙.灰理论基础[M].武汉:华中科技大学出版社,2002.
[17] DENG Xinyang,DENG Yong.D-AHP method with different credibility of information[J].Soft Computing,2019,23(2):683-691.