【作者】 刘海峰；

【导师】 郭义喜；

【作者基本信息】 解放军信息工程大学 ， 计算机应用技术， 2007， 硕士

【摘要】 信息安全风险评估是考察信息系统安全性的一个重要环节。在国家深入推进信息安全风险评估工作,并将颁布国家标准《信息安全风险评估规范》以指导风险评估工作实施的背景下,研究国外成熟的风险评估框架结合国家标准的应用问题,特别是研究探讨中小型组织风险自评估技术及其应用,对信息安全风险评估的广泛开展具有重要意义。论文首先分析比较了国内外主要风险评估方法和工具,从不同的角度重点分析了基于模型的信息安全风险评估CORAS框架的理论技术特征,比较研究了CORAS框架和《信息安全风险评估规范》的兼容性,说明了国内中小型组织应用CORAS框架实施风险评估的可行性;针对CORAS框架应用时存在的风险计算的主观性问题,分析总结了风险要素中威胁、脆弱性和资产的结合关系,提出和定义了元风险及资产风险树等相关概念,解决了确定风险计算粒度和区分不同性质风险对资产的重要程度问题,在此基础上,优化设计了适用于中小型组织的基于元风险和资产风险树的风险评估算法;同时,设计和开发了基于CORAS的风险评估辅助系统e-CORAS,从系统包图、类图、用例图和系统时序图等方面阐述了系统建模分析与设计,给出了风险评估算法的详细设计,从数据库访问模式、结构模型图和表结构等方面对系统数据库进行了详细设计和实现;最后通过具体的评估实例说明了算法和系统应用过程及有效性。更多还原

【Abstract】 Information security risk assessment is an important tache for evaluation of information system security. With strengthening on information security risk assessment sector by our nation, the national standard <Risk assessment specification for information security> will be enacted in the near future and all risk evaluation will be exercised with its guide. The research of application of famous risk framework worldwide with guidance of the national standard, especially application research of risk self-evaluation for small and medium organizations, are of significance for the widespread practice of information security risk assessment.Firstly this paper analyses and compares different methods and tools internally and aboard, focusing on the analysis of theory and technology of model-based information security risk assessment CORAS framework by E.U., and the conformance of CORAS framework to <Risk assessment specification for information security> is studied and compared , which is basis for the application of CORAS framework by internal small and medium organizations; then, for subjectivity of risk computation in CORAS’ application, the relations between risk factors threat, vulnerability and asset are generalized , and meta-risk , asset risk tree and other related concepts are set forth and defined , which are solutions for identifying granularity of risk computation and distinguishing influence level of risk on asset’s importance, then based that a computation algorithm is designed; thirdly a risk assessment supportive tool e-CORAS is analyzed and implemented, the system modeling analysis and design is exemplified by the system package diagrams, class diagrams, use-case diagrams and sequence diagrams, and the detailed design of risk assessment algorithm is presented, also the system database design and implementation are presented for database general structure, structure model diagram and list structure; at last an example that illustrates the use of algorithm and tool is also presented.更多还原