【作者】 李志伟；

【导师】 宋守信；

【作者基本信息】 北京交通大学 ， 安全管理与工程， 2010， 博士

【摘要】 随着经济全球化和信息技术的迅猛发展,信息系统在国家的政治、军事和经济等领域应用的日益广泛,整个社会对信息系统的依赖性越来越大,信息系统的安全问题已经成为一个关乎国家政治稳定、社会安定和经济健康有序运行的全局性重要问题。信息安全管理本质上是基于风险的管理。当前信息技术迅猛发展,信息安全管理理论和方法正经历一场重大的变革：从单一的技术手段到“技术与管理”并重的综合治理手段；从局部的工程管理到全局性的系统管理；从标准不完善的经验式管理到安全等级分明的科学管理；风险评估对象从综合评估到人因评估、从现状评估到趋势评估；评估方式从静态评估到动态评估；评估手段从手动评估到自动评估；评估方法从定性评估、定量评估到定性和定量相结合。结合信息系统实际情况,对相关科学的理论和方法进行完善与创新,是确保信息系统风险评估与管理工作不断完善的必要前提。本文遵循定性-定量-定性的分析研究思路,着眼于从技术层面和管理层面的有机结合,从信息系统风险评估与管理过程中的关键问题入手,结合安全管理、系统工程、信息安全、层次分析法(AHP)、灰色理论、模糊理论、决策理论多种学科的理论及相关方法开展了针对性的研究。主要研究工作有：(1)首先应用基于改进型AHP的模糊综合评价法和基于离差平方和的模糊综合评价法对信息系统进行综合评估。通过对信息系统的风险综合评估,掌握了信息系统风险整体状况、主要风险影响因素,为信息系统人因失误风险评估、风险态势评估以及风险管理模型与对策的研究提供了理论方法基础和依据。(2)基于交互式群决策的信息系统人因失误风险评估研究。运用Reason模型和SHEL模型对信息系统人因失误的风险进行分析,并建立信息系统人因失误风险评估指标体系,应用群决策技术对专家权重进行判断,可以有效地提高信息系统风险评估的合理性和准确性。并应用改进型AHP模糊综合方法进对信息系统人因失误进行风险评估,分析了人因失误风险因素的影响作用,并确定信息系统人因失误的风险等级,为探讨信息系统人因失误风险管理对策奠定了基础。(3)基于灰色理论的信息系统风险态势评估研究。在实际情况中,由于信息系统威胁的不确定性、动态性,同时由于风险因素的构成、因素之间的关系、因素发挥作用的时间和范围等在不断变化,从而导致信息系统所面临的风险呈现动态而复杂的演化趋势,静态风险评估很难预测或评估未来风险状况,因而对系统未来风险态势进行评估凸显其重要。论文将系统灰色理论方法引入信息系统安全风险态势感知的研究领域,提出一种风险态势感知评估模型,通过仿真实验,验证了该方法和模型的可行性和有效性。并提出基于态势评估的信息系统风险预警、防范与控制模型。(4)信息系统风险管理模式及对策研究。信息系统的安全建设不仅是一个技术问题,更是一个管理问题,管理是贯穿信息安全体系建设过程的生命线,风险管理是信息安全保障工作中的一项基础性工作。论文提出了适合未来智能化发展需要的信息系统动态风险管理模型和信息系统人因失误风险管理与控制模型,并提出具体的对策建议。更多还原

【Abstract】 With the constant deepening of information technology, Information system is widely applied in the country’s political, military and economic spheres, the entire society have more and more depended on the information systems, so information systems security has risen as a overall matter of national political stability, social stability and economic health operate orderly. Information security management is essentially a risk-based management. The current rapid development of information technology, information security management theory and methods undergoing a major transformation:from a single technical means to "Technology and Management" equal emphasis on the comprehensive management tools; from the local project management to the global system management; from the inadequate standard empirical management to safety-level clearly management; objects of risk assessment which from comprehensive assessment to human-reason assessment; from static assessment methods to dynamic assessment; assessment tools which from automatic evaluation assessment to the qualitative assessment, the qualitative and quantitative combined of the quantitative evaluation. Information systems with the actual situation of the relevant scientific theories and methods of improvement and innovation is to ensure information systems risk assessment and management,that is a necessary prerequisite for continuous improvement.This dissertation is proceeded with ideas of the qualitative-quantitative qualitative analysis, focusing on the technical level and management level, from the crucial problems of the information systems risk assessment and management process, combined with security management, systems engineering, information security, analytic hierarchy process France (AHP), gray theory, fuzzy theory, decision theory, multi-disciplinary theory and related approachesm,which is carried out targeted research. Main research work are:(1) First, This dissertation is studyed on application of AHP which base on improved fuzzy comprehensive evaluation method and base on sum of squared deviations of the fuzzy comprehensive evaluation method to conduct a comprehensive assessment of information systems. Through a comprehensive assessment of the information systems risks, master overall situation of the information system risk, the main risk factors, while risk management information systems provide the basis for strategy and control measures. The dissertation is studyed for the follow-up dissertation information systems human-error risk assessment, risk assessment and risk management models situation and provide countermeasures of the study and a theoretical basis and foundation methods.(2) This dissertation is studyed on Interactive group decision-making which base on the information system human-error risk assessment studies. the use of Reason model and the SHEL model for information system risk of human error analysis, and the establishment of information systems human-error risk assessment index system, the application group decision-making techniques to judge the weight of experts, can effectively improve reasonableness and accuracy of the information system risk assessment. And application of improved fuzzy AHP information systems into an integrated approach to human-error risk assessment, analysis of the human error and the role of risk factors and to identify information systems human error risk level, in order to explore the information systems risk management, human error and laid the foundation for response..(3) This dissertation is studyed on Gray Theory of information systems risk posture assessment. In fact, due to the uncertainty and dynamic of the threat information systems, risk factors and the relationship between factors, the ever-changing timing and scope factors,leading to the risks that facing with information systems presents dynamic and complex evolutionary trend, static risk assessment is difficult to predicted or assess the future risk status, and thus the system assess future risk trends which highlight its significance. This dissertation will be introduced into the theory of gray system, information system security risk situational awareness of the research area, it is presented a risk situational awareness assessment model, through simulation experiments, validate the methods and models of the feasibility and effectiveness. And this dissertation is studyed on how to make situation assessment base on information system risk early warning, prevention and control model.(4) This dissertation is studyed on Information systems risk management model and Countermeasures. Information system security building is not only a technical issue, but also a management issue, management is the lifeblood of the construction process through the information security system, risk management is a basic work of the information security. This dissertation is presented the development needs for the future of intelligent information systems for dynamic risk management models and information systems, human-error risk management and control model, and make concrete policy proposals.更多还原