Risk Analysis of Information System Security Based on Distance of Information-State Transition
- 35 Downloads
Abstract
The configuration of information system security policy is directly related to the information asset risk, and the configuration required by the classified security protection is able to ensure the optimal and minimum policy in the corresponding security level. Through the random survey on the information assets of multiple departments, this paper proposes the relative deviation distance of security policy configuration as risk measure parameter based on the distance of information-state transition (DIT) theory. By quantitatively analyzing the information asset weight, deviation degree and DIT, we establish the evaluation model for information system. With example analysis, the results prove that this method conducts effective risk evaluation on the information system intuitively and reliably, avoids the threat caused by subjective measurement, and shows performance benefits compared with existing solutions. It is not only theoretically but also practically feasible to realize the scientific analysis of security risk for the information system.
Key words
distance of information-state transition (DIT) deviation distance information asset risk analysisCLC number
TP 309Preview
Unable to display preview. Download preview PDF.
References
- [1]Shameli-Sendi A, Aghababaei-Barzegar R, Cheriet M. Taxonomy of information security risk assessment (ISRA) [J]. Computers & Security, 2016, 57(C): 14–30.CrossRefGoogle Scholar
- [2]Kondakci S. Network security risk assessment using Bayesian belief networks [C] // IEEE Second International Conference on Social Computing. Washington D C: IEEE, 2010: 952–960.Google Scholar
- [3]Cholez H, Girard F. Maturity assessment and process improvement for information security management in small and medium enterprises [J]. Journal of Software Evolution & Process, 2014, 26(5): 496–503.CrossRefGoogle Scholar
- [4]Al-Kuwaiti M, Kyriakopoulos N, Hussein S. A comparative analysis of network dependability, fault tolerance, reliability, security and survivability [J]. IEEE Communications Survey & Tutorial, 2009, 11(2): 106–124.CrossRefGoogle Scholar
- [5]Ma Z, Krings A W. Dynamic hybrid fault modeling and extended evolutionary game theory for reliability, survivability and fault tolerance analyses [J]. IEEE Transactions on Reliability, 2011, 60(1): 180–196.CrossRefGoogle Scholar
- [6]Li H T, Liu Y, He D Q. A fuzzy set-based approach for model-based internet-banking system security risk assessment [J]. Wuhan University Journal of Natural Sciences, 2006, 11(6): 1869–1872.CrossRefGoogle Scholar
- [7]Zhang X, Yao S P, Tang C H. Assessing the risk situation of network security for active defense [J]. Wuhan University Journal of Natural Sciences, 2006, 11(6): 1718–1722.CrossRefGoogle Scholar
- [8]Standardization Administration of the People’s Republic of China. Information Security Technology-Risk Assessment Specification for Information Security (GB/T 20984–2007) [S]. Beijing: Standards Press of China, 2007(Ch).Google Scholar
- [9]Liu G C, Wang H J. Evaluation research on and empirical analysis of risks in information system audit based on AHP and entropy weight [J]. Auditing Research, 2016, 1: 53–59(Ch).Google Scholar
- [10]Liu J, Zhao G, Zheng Y P. Information security risk variety situation analysis model based on AHP and Bayesian network [J]. Journal of Beijing Information Science and Technology University, 2015, 30(3): 68–74(Ch).Google Scholar
- [11]Chai J W, Wang S, Liang H H, et al. An AHP-based quantified method of information security risk assessment elements [J]. Journal of Chongqing University, 2017, 40(4): 44–53(Ch).Google Scholar
- [12]Zhao G, Liu H. Practical risk assessment based on multiple fuzzy comprehensive evaluations and entropy weighting [J]. Journal of Tsinghua University (Sci and Tech), 2012, 52(10): 1382–1387(Ch).Google Scholar
- [13]Song J K, Zhang L B. Research on information security risk assessment based on triangular fuzzy entropy [J]. Information Studies Theory and Application, 2013, 36(8): 99–104 (Ch).Google Scholar
- [14]Chen X G, Cheng J R. Research on application of risk assessment approach for multi-factor hierarchical fuzzy comprehensive evaluation [J]. Computer Engineering and Applications, 2012, 48(30): 128–131(Ch).Google Scholar
- [15]Fu S. Information system security risk analysis method using information entropy [J]. Information Science, 2013, 31(6): 38–42(Ch).Google Scholar
- [16]Xiong J S, Qin H T, Li J H, et al. Method of determining index weight in security risk evaluation based on information entropy [J]. Journal of System Science, 2013, 21(2): 82–84(Ch).Google Scholar
- [17]Wu L Y. Risk analysis of the information system by using factor analysis and support vector machine [J]. Microelectronics and Computer, 2016, 33(2): 144–148(Ch).Google Scholar
- [18]Zhao B H. Risk evaluation of information system security based on neural network and analytic hierarchy process [J]. Microelectronics and Computer, 2015, 32(10): 163–166(Ch).Google Scholar
- [19]Wang H C. DIT and Information [M]. Beijing: Science Press, 2006.Google Scholar
- [20]Li X L, Lü W Q, Guo Q K. Research on measurement method of command process based on information distance [J]. Journal of Equipment Academy, 2014, 25(6): 113–117(Ch).Google Scholar
- [21]Wang H C. Systems information measurement [J]. Journal of University of Shanghai for Science and Technology, 2011, 33(6): 631–640(Ch).Google Scholar
- [22]Peng C G, Ding H F, Zhu Y J, et al. Information entropy models and privacy metrics methods for privacy protection [J]. Journal of Software, 2016, 27(8): 1891–1903(Ch).Google Scholar
- [23]Cove T M, Thomas J A. Elements of Information Theory [M]. New York: Wiley, 2006.Google Scholar
- [24]Zhang R R, Zhou H L, Pan P. Analysis of university students’ core value based on information distance [J]. Journal of Guizhou Normal College, 2012, 28(2): 52–57(Ch).Google Scholar
- [25]Standardization Administration of the People’s Republic of China. Information Security Technology — Baseline for Classified Protection of Information System Security (GB/T 22239–2008) [S]. Beijing: Standards Press of China, 2008(Ch).Google Scholar