摘要
研究提出一种基于等级保护思想的网络安全风险评估模型,解决等级测评之后对系统整体安全状况进行风险分析和评估的问题。通过分析等级保护和风险评估的异同,给出二者之间的关联关系;通过对资产、脆弱性、威胁3要素的识别及其赋值进行深入研究,提出三维度资产赋值法、脆弱性CVSS计算法,威胁发生频率和影响权重古林计算法,并构造安全风险象限图,根据安全事件在象限图中的落点位置,评估安全风险严重程度。研究成果有助于企事业单位在开展网络安全实际工作时实现等级保护测评和风险评估的有机结合。
This paper proposes a cybersecurity risk assessment model based on the idea of classified cybersecurity protection assessment to solve the problem of risk analysis and assessment of the overall security status of the system after classified cybersecurity protection assessment.By analyzing the similarities and differences between classified cybersecurity protection and risk assessment,their correlations are derived.Making an in-depth study on the identification and assignment of the three elements of assets,vulnerability and threat,three-element asset value assignment method,CVSS calculation method of vulnerability assignment,A•J•Klee method of threat frequency and influence weight are proposed.Meanwhile,a quadrant diagram of risk level is constructed,in which the risk severity of a security event can be assessed according to the placement of the incident in the quadrant diagram.The research results are helpful for enterprises to combine classified cybersecurity protection evaluation and risk assessment in actual work.
作者
张彦
马延妮
司群
ZHANG Yan;MA Yanni;SI Qun(Institute of Computing Technologies,China Academy of Railways Sciences Corporation Limited,Beijing 100081,China)
出处
《铁路计算机应用》
2020年第8期28-32,共5页
Railway Computer Application
基金
中国国家铁路集团有限公司科技研究开发计划课题(K2018S002)。
关键词
风险评估
等级保护
模型
risk assessment
classified protection
model
