«Previous Article|Table of Contents|Next Article»

南京师范大学学报（工程技术版）[ISSN:1006-6977/CN:61-1281/TN]

Issue:

2010年04期

Page:

72-79

Research Field:

Publishing date:

Info

Title:

A Risk Evaluation Model Merging Behaviors Trust of Entities

Author(s):

Xu Yuxiong¹; Dou Wanfeng¹; ²

1.School of Computer Science and Technology,Nanjing Normal University,Nanjing 210097,China;2.Jiangsu Research Center of Information Security and Privacy Technology,Nanjing 210097,China

Keywords:

asse t eva luation;  vulnerab ility eva luation;  threat evalua tion;  risk eva luation;  in fo rm ation entropy;  behav ior trust o f entity

PACS:

TP309

DOI:

-

Abstract:

Risk ana ly sis is one o f key factors im pacting on secur ity dec ision-m ak ing in the in fo rm ation system s. R isk eva luation is the base and prem ise o f building inform a tion system security se tup. It is difficult tom ake accurate r isk quantification because of m any fuzzy and uncertain factors ex isting in r isk ana lysis of inform ation security. To address the prob lem, this paper proposes a risk eva luation m odel based on asse t eva luation, vulnerability evalua tion and threa t eva-l uation by identify ing and quan tify ing the r isk facto rs. In this mode,l the va lue, vulnerab ility and threa t o f asset were comb ined to com pute the risk o f system. Furtherm ore, consider ing the r isk of system is influenced by the behav ior of externa l entity, a risk com putation m ethod m erg ing behav iors trust of ex terna l entities w as presen ted us ing the quan tita tive ca lcu la tion o f informa tion entropy w e ight of each factor for ov ercom ing subjectiv ity of d irect assignm ent. The application o f the propo sed m odel and the exper im enta l resu lts show that the risk computation m ode lm erg ing trust im plied in behaviors o f the entities is reasonable, and can effic iently eva luate the r isk in fo rm ation system.

References:

[ 1] 范红, 闵京华. 信息安全风险管理指南[ D]. 北京: 国务院信息化工作办公室, 2006. Fang H ong, M in Jinghua. Inform ation Secur ityR iskM anagem ent Gu ide[ D] . B eijing: Sta te Counc il In fo rm atization O ffice, 2006. ( in Chinese)
[ 2] A sna rY, G iorg ini P. M ode lling and Ana ly sing R isk at Organ izationa lLeve,l DIT-06-063[ R ]. Ita ly: Un ive rsity of Tren to, 2006.
[ 3] A snar Y, G iorg ini P, M y lopou lo s J. R iskM ode lling and Reasoning in Go alM ode ls, D IT-06-008[ R]. Ita ly: Un ive rs ity o f Trento, 2006.
[ 4] A snar Y, G iorg ini P, FabioM assacc,i e t a.l From T rust to Dependability Through R isk Analysis, DIT-06-079[ R /OL]. Ita ly: Un iversity o f Trento, 2006.
[ 5] Cox S, Jones B, Co llinson D. Trust re lations in high- re liability organ izations[ J]. R isk Analysis, 2006, 26( 5): 1 123-1 138.
[ 6] Yu lm etyev R M, Em e lyanova N A, Ga farov FM. Dynam ical Shannon entropy and in fo rm ation Tsa llis entropy in comp lex system s[ J]. Phy sica A, 2004, 341( 11): 649-676.
[ 7] 吴亚非, 李新友, 禄凯. 信息安全风险评估[M ]. 北京: 清华大学出版社, 2007. W u Yafe,i L iX inyou, Lu Ka.i Inform ation Security R isk A ssessm ent[M ] . Beijing: Tsinghua Un iversity Press, 2007. ( in Chinese)
[ 8] 杨洋, 姚淑珍. 一种基于威胁分析的信息安全风险评估方法[ J]. 计算机工程与应用, 2009, 45( 3): 94-96. Yang Y ang, Yao Shuzhen. R isk assessm ent m e thod of inform ation secur ity based on threa t ana lysis[ J]. Computer Eng inee ring and App lications, 2009, 45( 3): 94-96. ( in Ch inese)
[ 9] Lin A Z, Vu lling s E, Da lzie l J. A trust-based access contro lm odel for v irtua l o rganizations[ C ] / / Proceed ings of the GCC W o rkshops. USA: IEEE Com puter Soc iety, 2006: 557-564.
[ 10] T ian L Q, Lin C. A kind of gam e- theoretic con tro lm echanism of user behav ior trust based on pred iction in trustwo rthy netw ork [ J] . Ch inese Journa l o f Computers, 2007, 30( 11) : 1 930-1 938.
[ 11] 陈亮. 信息系统安全风险评估模型研究[ J]. 中国人民公安大学学报: 自然科学版, 2007, 13( 4): 50-53. Chen L iang. R isk assessm ent model of inform ation system security[ J]. Journal of Chinese People. s Pub lic SecurityUn iv ers ity: Sc ience and Technology Edition, 2007, 13( 4): 50-53. ( in Ch inese)
[ 12] 罗佳, 杨世平. 基于熵权系数法的信息安全模糊风险评估[ J]. 计算机技术与发展, 2009, 19( 10) : 177-181. Luo Jia, Yang Sh ip ing. Fuzzy risk assessment fo r inform ation security based on me thod o f entropy-we ight coe ffic ient[ J] . Computer Techno logy and Development, 2009, 19( 10) : 177-181. ( in Ch inese)
[ 13] J?sang A, Presti S. Ana lys ing the re lationship between risk and trust[ C ] / / Proceed ing s o f the iT rust. 04. Ox ford: Springer- Ve rlag, 2004: 135-145.
[ 14] O lsen Robert A. Trust as risk and the founda tion of investment va lue[ J]. The Journa l o f Soc io-Econom ics, 2008, 37( 6): 2 189-2 200.
[ 15] StoneburnerG, Goguen A, Fer ingaA. R iskM anagem entGu ide fo r Inform ation Techno logy System s[ R /OL]. Na tiona l Institute o f Standards and Techno logy 800-30, 2002. [ 2010-09-07]. http: / /csrc. n ist. gov / pub lications/n istpubs/800-30 / sp800-30. pd.f
[ 16] M ancha la D W. Trust m etr ics, models and pro toco ls for electron ic comm erce transac tions[ C ] / / Pro c o f the 18 th In t Con f on Distr ibuted Com puting Sy stem s. W ash ing ton DC: IEEE Com puter Soc iety, 1998.
[ 17] Povey D. Deve lop ing e lectron ic trust plo icies using a risk m anag em ent model[ C] / / Pro c of the Int Exhibition and Cong ress on Secure Netwo rk ing. Be rlin H e idelberg: Springer-Verlag, 1999.
[ 18] Cahill V. Us ing trust for secure co llaboration in uncerta in env ironm ent[ J]. IEEE Pe rvasive Com puting, 2003, 2( 3): 52-61.
[ 19] J?sang A, Brad ley D, Knap Skog S J. Belie-f based risk ana lysis[ C] / /Proceedings of the 2nd Australasian Info rma tion SecurityW orkshop( AISW2004). Duned in, New Zea land: CRPIT, 2004: 63-68.
[ 20] 全国信息安全标准化技术委员会. GB /T 20984-2007 信息安全技术信息安全风险评估规范[ S]. 北京: 中国标准出版社, 2007. Standardization Adm in istra tion of Ch ina. GB /T 20984-2007 In fo rm ation Secur ity Techno logy-R isk Assessm en t Spec ification for Info rma tion Secur ity[ S]. Be ijing: Ch ina Standard Press, 2007. ( in Chinese)
[ 21] In ternational Organ ization for Standa rd iza tion, Interna tiona l E lectrotechn ica l Comm ission. ISO / IEC 13335 Inform a tion Techno logy-Guide lines for theM anag em ent o f IT Secur ity [ S /OL]. [ 2010-09-01]. http: / /www. csa- in t.l org /onlinestore /Ge tcatalog ltemDeta ils. asp? m at= 2416204&Parent= 3548.
[ 22] Secco F lyM anagement C onsulting Company. BS7799 and ISO / IEC 17799 Inform ation Security M anag em ent Sy stem and its Certifica tion and Accred itation Re la ted Know ledge Interlocu tion[M ]. Be ijing: Ch ina Standard Press, 2003.
[ 23] Saaty T L. H ow to m ake a dec ision: the ana lytic hierarchy pro cess[ J]. European Journal of Operation Research, 1990, 48 ( 1): 9-12.
[ 24] 张润莲, 武小年, 周胜源, 等. 一种基于实体行为风险评估的信任模型[ J]. 计算机学报, 2009, 32( 4): 688-698. Zhang Run lian,W u X iaon ian, Zhou Shengyuan, e t a.l A trust m ode l based on behav iors risk eva luation[ J]. Ch inese Journal o f Computers, 2009, 32( 4): 688-698. ( in Chinese)

Memo

Memo:

-

Common functions

Last Update: 2013-04-02