【作者】 陈光；

【导师】 沈永平；

【作者基本信息】 国防科学技术大学 ， 管理科学与工程， 2006， 博士

【摘要】 随着Internet的普及和全球信息化的不断推进,与组织业务相关的信息系统已经成为组织赖以生存的重要战略资源,保障其信息安全的重要性受到广泛关注。组织信息系统的信息安全一旦遭到破坏,不仅会使组织信息的安全属性遭受损害,而且会对组织业务运行造成巨大影响,其损失不仅包括经济方面,还可能对组织形象、声誉甚至是战略性竞争优势造成致命损伤。因此,对信息系统开展信息安全风险管理显得十分必要。已有的信息系统信息安全风险管理方法将信息系统风险分析与评估同具体的组织环境和业务背景相割裂,缺乏对风险形成过程的分析与描述,进行安全决策时单纯考虑“技术”因素、缺乏对组织决策层期望实现的多个决策目标的全面表达。为弥补上述不足,本文提出了一套信息系统信息安全风险管理的新方法ISISRM,并对该方法所涉及的关键问题进行了深入研究,为组织进行信息系统信息安全风险管理提供了一条新途径。论文的研究内容和主要贡献如下:第一,通过对基本思想、管理周期、过程与方法以及组织管理四个方面的描述,建立了信息系统信息安全风险管理方法ISISRM的整体框架。ISISRM方法利用由13个具体过程构成的流程框架为组织实施信息系统风险管理提供一套规范的程序。该方法充分体现了现代信息安全风险管理思想,具有面向组织具体的业务背景进行风险因素识别与分析,基于风险事件形成的动态过程计算风险事件频率,基于适度量化原则对信息安全风险进行度量,综合权衡多个决策目标求解理想安全方案等特点。第二,给出了通过利用图(Exploit Graph, EG)对风险事件过程进行建模的方法。建立了信息系统安全性分析模型,提出了基于该模型生成利用图的算法,并分析了该算法的计算效率。给出了基于利用图的风险事件过程建模体系框架。运用利用图对风险事件过程进行形式化描述,可模拟威胁发起者的思维过程,全面而细致刻画出威胁发起者制造风险事件的各种可能的行动方案,以及各个方案中脆弱性利用行为间的时序关系,为理解风险事件形成的动态过程提供清晰的视图。第三,提出了基于利用图计算信息系统信息安全风险事件频率的方法。其中主要包括:威胁发起者攻击尝试频率的预测方法;基于利用图计算风险事件最大成功概率的算法;根据贝叶斯网络理论计算利用图中原子利用节点的成功概率的方法。第四,提出并探讨了基于模糊NCIC(Nontraditional Capital Investment Criteria)方法的信息安全风险事件损失值计算方法。其中包括:信息安全风险事件的损失层次全息模型;用于模糊多准则评估的模糊NCIC方法;运用语言变量表示两两比较矩阵中决策者的模糊偏好信息的方法;运用模糊NCIC方法评估风险事件损失的计算流程。运用模糊NCIC方法评估风险事件损失可将风险事件损失以货币为单位地定量化,不仅能直观地反映风险事件给组织带来的危害性后果,而且便于安全决策人员对安全方案进行费效比分析,使得安全决策人员能将安全决策纳入到经济分析框架下来,从而可以使用经济学理论为信息安全管理决策提供有力的理论与方法指导。第五,建立了一个完整的信息系统安全决策框架。该框架包括安全决策启动判断、安全投资预算调控和风险控制决策三个阶段。对于安全决策启动判断阶段,在给出安全决策启动条件的基础上确定了安全决策启动判断的流程。对于安全投资预算调控阶段,设计了动态调整组织当前的信息安全投资预算的流程,建立了信息系统最小安全投资额模型,提出了求解该模型的基于模糊算子的自适应遗传算法AGABOFA;该算法采用了自适应的遗传算子,基于模糊算子进行约束处理,并且在求解的解码过程中运用总全局风险值更新算法实现对安全方案对应的信息系统残余风险的计算。对于风险控制决策阶段,建立了信息安全风险控制的模糊多目标优化模型及该模型的求解框架,提出了求解该模型的基于模糊算子的扩展Pareto进化算法SPEABOFA;该算法基于模糊算子进行约束处理,通过Pareto解集过滤器、小生境技术和优秀解培育过程的操作保证了解的多样性,加速了解的收敛过程。最后给出了在模型Pareto解集合中求解最满意安全方案的模糊多属性决策方法。基于信息系统安全决策整体框架,可以最终求解出一个整合所有安全决策人员意见、充分考虑多个决策目标且能将信息安全风险控制在可接受范围之内的理想安全方案。最后,在信息系统ISISRM理论方法研究的基础上,给出了一个信息系统信息安全风险管理的应用实例。更多还原

【Abstract】 With the development of global informatization and the popularization of Internet, information system that correlate with organization business has became the important strategic resource which organization must depend upon in order to survive. So the importance of assuring the information security of information system has drawn broad attention. Once the information security of organization information system has been destroyed, it would not only cause the security attributes of organization information to be compromised but also make organization business; the loss of it is not only involve economic loss, but also can make deathful damnification to organization’s image, reputation, or even strategic competitive predominance. Therefore, it is very essential to perform information security risk management upon information system.However, there are some common problems in existing information system information security risk management method. For example, these methods often separate the risk analysis and assessment of information system from the concrete organization environment and business background; or lack the formalization of the process which get the risk into shape; or take into account technical factor merely when they make security decision, so the decision process can’t embody multiple decision objective which organization supervisors expect to achieve. To solve these problems, this thesis presents a information system information security risk management method named ISISRM which provides a new way for information security risk management of information system , and then lucubrates the pivotal question of this new method. The main contents and fruits of this thesis are outlined as follows:Firstly, ISISRM framework is constructed from four aspects such as the essence of idea, management circle, processes and methods, management organization. ISISRM provides a suit of normative practical procedure of implementing risk management on information system through an process framework composed by 13 processes. ISISRM method adequately materialize the modern information security risk management theory. ISISRM has four characteristic: it identifies and analyses risk factors orienting to the concrete business process in organization; it calculates risk event frequency based upon the process which get the risk event into shape; it measures information security risk based on proper quantity level; it balances several decision-making objective against each other to seek satisfied security plan.Secondly, a method of modeling risk event through Exploit Graph(EG) is presented. A information system security analysis model is constructed. A algorithm of construct exploit graph is presented based on this model, and the efficiency of the algorithm is analysised. A system framework of risk event process modeling based on EG is proposed. Using EG to describe the process which the risk event is get into shape can simulate the thoughtway of the attack initiator, portray comprehensively and subtly all of the possible action scenarios that attack initiator can induce the risk event and the temporal order relations between vulnerability exploiting actions in each process. Then EG can provide a clear view for understanding the dynamic process of risk event.Thirdly, a method of calculating information system information security risk events frequency based on EG is presented. The main content of this method includes the method of forecasting the attack frequency, the algorithm of calculating the maximal victory frequency of risk event based on EG, and the method of calculating the victory frequency of atomic exploit node in EG based on Bayesian Network theory.Fourthly, a method of calculating the loss of information security risk event based on fuzzy NCIC(Nontraditional Capital Investment Criteria) method is put forward. The main study of this method include: a hierarchical holographic model of loss(HHML) of information security risk event is presented; the fuzzy NCIC method for fuzzy multi-criteria decision making is studied; the method using language variable to express the fuzzy preference information of decision-maker in the pairwise comparison matrix is proposed; the flow of using fuzzy NCIC method to assess the loss of information security risk event is presented is designed. Using fuzzy NCIC method to assess the loss of risk event can quantify the loss in currency format, then can not only intuitionisticly reflect the harmful result to information system and organization induced by risk events, but also be convenient for security decision maker to perform cost-effect-ratio analysis on security plans, which enable decision-maker to put information security risk management in the frame of economics analysis and to use economics theory to provide guidance and method for information security management decision.Fifthly, an integrated framework of information security decision is built. The framework includes three phases: startup of security decision judging phase, budget on the investment of security adjusting and controlling phase, and risk control decision making phase. In the first phase, based on the condition of security decision start-up, the flow of judging the start-up of security decision is proposed. In the second phase, the flow of dynamicly adjusting the current security investment budget is designed, a model for minimal information security investment is presented, and an adaptive genetic algorithm based on fuzzy arithmetic named AGABOFA is proposed for the model. AGABOFA adopts adaptive genetic arithmetic, dispose restriction based on fuzzy arithmetic and uses overall global risk value update algorithm to calculate information system residual risk corresponding to given security plan during the decoding phase of solving course of itself. In the third phase, the model of fuzzy multi-objective optimization for information security risk control is built and the solving frame of the model is proposed. And the strength Pareto evolutionary algorithm based on fuzzy arithmetic named SPEABOFA for the model is presented, SPEABOFA dispose restriction based on fuzzy arithmetic, adopts several operations such as filtering, niches and breeding process which guarantee the diversity of the population and the divergent speed. Then a fuzzy multiple attributes group decision making method is presented for selecting the most satisfactory security plan in Pareto set of the model. Based on holistic frame of the information system security decision, a satisfactory security plan which synthesizes the opinion of all decision-maker, takes into account multiple security decision objective, and can control the information security risk of information system in the acceptable scope can be worked out.Last, a real information system is used to illustrate key methodologies presented in this thesis.更多还原