当前主流的信息安全风险评估关注于资产损失,而忽视了时业务的影响.提出了一种面向业务的风险评估模型.该模型从业务安全需求出发,将机密性、完整性和可用性等安全属性引入风险评估过程中,通过评估对业务过程的影响来量化风险.将传统风险评估的资产要素视为业务的支撑,采用层次化方法依次分析资产风险、业务过程风险和业务风险.各风险要素采用面向属性归纳和聚类方法进行概化分析,并采用Markov模型描述业务过程的风险传导.最后以某网上银行交易系统风险进行模型验证.理论分析和实验结果表明,该模型能够将传统的资产风险转化为业务风险,从机密性、完整性和可用性3个安全属性进行度量,从而体现业务安全需求.%Traditional information security risk assessment emphasizes the loss of asset, but ignores the effect of the risk on business. This paper proposes a business oriented risk assessment model BoRAM. On the basis of the business security requirements, the proposed model introduces three basic security goals (I. E. Confidentiality, integrity and availability) into the process of the risk assessment, and further measures the risk according to the effect on business process. In the proposed model, the asset is not only severed as a basic evaluation element as same as the role in the traditional risk assessment models, but also is served as the support of the business. The risk of the asset, the risk of the business process, and the risk of the business are analyzed hierarchically. In order to measure these risks, all the risk elements are generalized and analyzed by attribute-oriented induction (AOI) as well as cluster algorithm. Furthermore, the Markov model is also introduced into the business to describe the transfer between business processes. Finally, the model is experimented in a typical Internet-bank business. Theoretical analysis and experimental results show that the proposed model can evaluate the business risk instead of traditional asset risk on the basis of confidentiality, integrity and availability of business, which is just the goal of the business security requirements.
展开▼
