Risk Analysis of Information System Security Based on Distance of Information-State Transition

  • Chao Zhou
  • Ping PanEmail author
  • Xinyue Mao
  • Liang Huang
Computer Science


The configuration of information system security policy is directly related to the information asset risk, and the configuration required by the classified security protection is able to ensure the optimal and minimum policy in the corresponding security level. Through the random survey on the information assets of multiple departments, this paper proposes the relative deviation distance of security policy configuration as risk measure parameter based on the distance of information-state transition (DIT) theory. By quantitatively analyzing the information asset weight, deviation degree and DIT, we establish the evaluation model for information system. With example analysis, the results prove that this method conducts effective risk evaluation on the information system intuitively and reliably, avoids the threat caused by subjective measurement, and shows performance benefits compared with existing solutions. It is not only theoretically but also practically feasible to realize the scientific analysis of security risk for the information system.

Key words

distance of information-state transition (DIT) deviation distance information asset risk analysis 

CLC number

TP 309 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Shameli-Sendi A, Aghababaei-Barzegar R, Cheriet M. Taxonomy of information security risk assessment (ISRA) [J]. Computers & Security, 2016, 57(C): 14–30.CrossRefGoogle Scholar
  2. [2]
    Kondakci S. Network security risk assessment using Bayesian belief networks [C] // IEEE Second International Conference on Social Computing. Washington D C: IEEE, 2010: 952–960.Google Scholar
  3. [3]
    Cholez H, Girard F. Maturity assessment and process improvement for information security management in small and medium enterprises [J]. Journal of Software Evolution & Process, 2014, 26(5): 496–503.CrossRefGoogle Scholar
  4. [4]
    Al-Kuwaiti M, Kyriakopoulos N, Hussein S. A comparative analysis of network dependability, fault tolerance, reliability, security and survivability [J]. IEEE Communications Survey & Tutorial, 2009, 11(2): 106–124.CrossRefGoogle Scholar
  5. [5]
    Ma Z, Krings A W. Dynamic hybrid fault modeling and extended evolutionary game theory for reliability, survivability and fault tolerance analyses [J]. IEEE Transactions on Reliability, 2011, 60(1): 180–196.CrossRefGoogle Scholar
  6. [6]
    Li H T, Liu Y, He D Q. A fuzzy set-based approach for model-based internet-banking system security risk assessment [J]. Wuhan University Journal of Natural Sciences, 2006, 11(6): 1869–1872.CrossRefGoogle Scholar
  7. [7]
    Zhang X, Yao S P, Tang C H. Assessing the risk situation of network security for active defense [J]. Wuhan University Journal of Natural Sciences, 2006, 11(6): 1718–1722.CrossRefGoogle Scholar
  8. [8]
    Standardization Administration of the People’s Republic of China. Information Security Technology-Risk Assessment Specification for Information Security (GB/T 20984–2007) [S]. Beijing: Standards Press of China, 2007(Ch).Google Scholar
  9. [9]
    Liu G C, Wang H J. Evaluation research on and empirical analysis of risks in information system audit based on AHP and entropy weight [J]. Auditing Research, 2016, 1: 53–59(Ch).Google Scholar
  10. [10]
    Liu J, Zhao G, Zheng Y P. Information security risk variety situation analysis model based on AHP and Bayesian network [J]. Journal of Beijing Information Science and Technology University, 2015, 30(3): 68–74(Ch).Google Scholar
  11. [11]
    Chai J W, Wang S, Liang H H, et al. An AHP-based quantified method of information security risk assessment elements [J]. Journal of Chongqing University, 2017, 40(4): 44–53(Ch).Google Scholar
  12. [12]
    Zhao G, Liu H. Practical risk assessment based on multiple fuzzy comprehensive evaluations and entropy weighting [J]. Journal of Tsinghua University (Sci and Tech), 2012, 52(10): 1382–1387(Ch).Google Scholar
  13. [13]
    Song J K, Zhang L B. Research on information security risk assessment based on triangular fuzzy entropy [J]. Information Studies Theory and Application, 2013, 36(8): 99–104 (Ch).Google Scholar
  14. [14]
    Chen X G, Cheng J R. Research on application of risk assessment approach for multi-factor hierarchical fuzzy comprehensive evaluation [J]. Computer Engineering and Applications, 2012, 48(30): 128–131(Ch).Google Scholar
  15. [15]
    Fu S. Information system security risk analysis method using information entropy [J]. Information Science, 2013, 31(6): 38–42(Ch).Google Scholar
  16. [16]
    Xiong J S, Qin H T, Li J H, et al. Method of determining index weight in security risk evaluation based on information entropy [J]. Journal of System Science, 2013, 21(2): 82–84(Ch).Google Scholar
  17. [17]
    Wu L Y. Risk analysis of the information system by using factor analysis and support vector machine [J]. Microelectronics and Computer, 2016, 33(2): 144–148(Ch).Google Scholar
  18. [18]
    Zhao B H. Risk evaluation of information system security based on neural network and analytic hierarchy process [J]. Microelectronics and Computer, 2015, 32(10): 163–166(Ch).Google Scholar
  19. [19]
    Wang H C. DIT and Information [M]. Beijing: Science Press, 2006.Google Scholar
  20. [20]
    Li X L, Lü W Q, Guo Q K. Research on measurement method of command process based on information distance [J]. Journal of Equipment Academy, 2014, 25(6): 113–117(Ch).Google Scholar
  21. [21]
    Wang H C. Systems information measurement [J]. Journal of University of Shanghai for Science and Technology, 2011, 33(6): 631–640(Ch).Google Scholar
  22. [22]
    Peng C G, Ding H F, Zhu Y J, et al. Information entropy models and privacy metrics methods for privacy protection [J]. Journal of Software, 2016, 27(8): 1891–1903(Ch).Google Scholar
  23. [23]
    Cove T M, Thomas J A. Elements of Information Theory [M]. New York: Wiley, 2006.Google Scholar
  24. [24]
    Zhang R R, Zhou H L, Pan P. Analysis of university students’ core value based on information distance [J]. Journal of Guizhou Normal College, 2012, 28(2): 52–57(Ch).Google Scholar
  25. [25]
    Standardization Administration of the People’s Republic of China. Information Security Technology — Baseline for Classified Protection of Information System Security (GB/T 22239–2008) [S]. Beijing: Standards Press of China, 2008(Ch).Google Scholar

Copyright information

© Wuhan University and Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.College of Computer Science and TechnologyGuizhou UniversityGuiyang, GuizhouChina
  2. 2.Wuhan Second State Tax InspectorateHubei Provincial Office, SATWuhan, HubeiChina

Personalised recommendations