节点文献
一种信息安全价值评估系统的设计与实现
An Information Security Assessment System’s Design and Implementation
【作者】 何景根;
【导师】 杨义先;
【作者基本信息】 北京邮电大学 , 信息安全, 2008, 硕士
【摘要】 信息社会的到来给人类社会的生产、生活带来了巨大的影响,人们对信息的依赖性也愈加强烈,而同时信息安全问题也成为信息基础设施的严峻考验。政府、企业等组织对信息安全工作也越来越重视。然而,信息安全投入的价值如何体现,是信息安全投资决策者关心的问题。现实的状况是:没有一个成熟的、可操作性较强的方法论支持对信息安全投入的价值进行评估。本文试图找出一个定量的、可操作的、切合实际的模型来衡量信息安全的价值,以衡量信息安全工作成效、辅助决策者进行投资决策。本文在当前信息安全价值相关理论研究的基础上,将信息安全的价值分为经济价值和非经济价值两种。同时将经济价值划分为风险的降低和成本的节省两部分。本文从企业实践出发,对风险降低分析和成本节省分析都给出了详细的量化过程推导步骤,保证了评估的可信度和可操作性。对于非经济价值,本文设计了切实可行的安全能力问卷、BS7799符合性问卷,以此从正面定量反映组织的信息安全水平。最后,本文设计了一个实际的系统以辅助信息安全价值评估,它通过Excel收集必要的数据,经过内部计算后,以Word报告反映评估结果。
【Abstract】 Information technology has brought great improvement to the whole society. While information is becoming more and more important for people, information infrastructure is facing more and more security threats. Organizations such as governments and companies are paying more attention to information security problems. How to evaluate the value of information security investment is one of the key issues for decision-makers. But currently there is not a mature and maneuverable methodology for decision-makers to evaluate the value of information security investment.This paper tries to build a quantitative, maneuverable and practical model to evaluate the value of information security investment and the effectiveness of information security work, helping decision-makers to do a proper investment decision.Based on the information security value related theories, this paper divides the value of information security investment into two parts: economic part and non-economic part. And also the economic part is divided into two parts: risk mitigated and cost savings. Based on the best practice of a large IT company, this paper gives the detail steps of analyzing the risk mitigated and cost savings. And these steps can guarantee the maneuverability and reliability of the whole evaluating process. For the non-economic part, this paper designs practical security capability questionnaires and BS7799 compliance questionnaire. Answers to these questionnaires can reflect the information security level of an organization.Besides the theoretical methodology and operation procedure, a real system is also build for administrators to evaluate the value of security investment. It collects data in the form of Excel and gives the final Word report of the calculated results.
【Key words】 Information Security Value; Investment Analysis; ROSI; Risk Quantization;
- 【网络出版投稿人】 北京邮电大学 【网络出版年期】2008年 10期
- 【分类号】TP309
- 【下载频次】176