There are many uncertain and fuzzy factors in the information security risk assessment process.For the uncertainty and subjectivity of expert evaluation,this paper proposed a risk assessment method on the basis of fuzzy set theory and DS evidence theory.Firstly,according to the processes and elements of the information security risk assessment,it established an index system and confirmed risk factors.Secondly,it calculated the degree of expert evaluation belonging to various levels through Gauss membership function.Thirdly,it made the above results as basic probability assigment of DS theory and adopted a fusion arithmetic based on matrix analysis and weight distribution to synthesize views of some experts.Finally,combining with the Bayesian theory and inference procedure,it calculated the probability of risk of the information system.The results show that the method which is based on the fuzzy set theory and DS evidence theory can improve the objectivity of the evaluation results.%在信息安全风险评估过程中,存在着很多不确定和模糊的因素,针对专家评价意见的不确定性和主观性问题,提出了一种将模糊集理论与DS证据理论进行结合的风险评估方法.根据信息安全风险评估的流程和要素,建立风险评估指标体系,确定风险影响因素;通过高斯隶属度函数,求出专家对各影响因素的评价意见隶属于各个不同评价等级的程度;并将其作为DS理论所需的基本概率分配,引入基于矩阵分析和权值分配的融合算法综合多位专家的评价意见;最后结合贝叶斯网络模型的推理算法,得出被测信息系统所面临的风险大小并对其进行分析.结果显示,将模糊集理论和DS证据理论应用到传统贝叶斯网络风险评估的方法,在一定程度上能够提高评估结果的客观性.
展开▼
