摘要
针对系统风险评估过程中存在的如评估数据缺乏、知识不完备、系统建模不完整及风险识别不充分等不确定性因素,文章提出了一种将模糊数学理论与证据理论相结合的风险评估方法。首先,给出了信息系统风险评估的定义,讨论了信息系统的风险分析与预测模型;然后,将传统证据理论向模糊集推广,利用模糊集的隶属函数构造证据理论中的基本概率赋值函数,评估指标的基本支持度的确定即为各项指标对于评语集的隶属程度,从而建立起一个从指标集到评估标准的模糊关系,有效解决了证据理论中基本概率赋值函数不易确定的问题;最后,给出了某办公自动化信息系统的风险评估实例,验证了文中所提方法的合理性。实例表明,该方法可行有效,能够为信息系统风险控制和安全防御提供有力的数据支撑。
Considering that there are many uncertainty factors in the process of informationsystems security risk assessment,such as lack of evaluation data,incomplete knowledge and systemmodeling,inadequate risk identification,method based on fuzzy theory of evidence was presented.Concepts of related risk assessment were introduced fi rstly,and calculation model for the informationsystems risk assessment was established after that.And then fuzzy sets were introduced into theoryof evidence.The basic probability assignments which are core to theory of evidence were constructedusing the membership function of fuzzy sets.When the fuzzy relations between risk indexes set andevaluation standard,the problem that the basic probability assignments were difficult to determinewas solved.Moreover,the result is more reasonable.An illustration example dedicates that the methodwas feasible and effective,and provides reasonable data for constituting the risk control strategy of theinformation systems security.
作者
董晓宁
赵华容
李殿伟
王甲生
DONG Xiaoning;ZHAO Huarong;LI Dianwei;WANG Jiasheng(Naval Staff, Beijing 100841, China;Department of Information Security, Naval University of Engineering,Wuhan Hubei 430033, China)
出处
《信息网络安全》
CSCD
2017年第5期69-73,共5页
Netinfo Security
基金
湖北省自然科学基金[2015CFC867]
关键词
DS证据理论
模糊集
信息系统
风险评估
DS theory of evidence
fuzzy sets
information systems
risk assessment
