信息系统安全风险评估模型及其在铁路客票系统中的应用

提出一种基于模糊综合评判理论的信息系统安全风险综合评估模型与方法,实现量化信息系统安全风险的目标。通过确定信息系统的安全风险因素集、指标集以及因素的权重系数集,建立安全风险模糊综合评估矩阵,并应用于铁路客票预定与发售系统的安全风险评估。铁路客票预定与发售系统包括信息资产和物理资产,受到来自系统本身、外部环境以及人为和自然界的安全威胁。应用建立的信息系统安全风险评估模型,定量计算铁路客票预定与发售系统Web组件的安全风险值。根据计算值确定信息系统中的高风险组件,为系统管理与使用部门采取相应的防护技术和管理措施提供理论依据,增强系统安全性。

A Security Risk Evaluation Model for IT System and Its Application on Railway Passenger Ticket System

A security risk evaluation method based on fuzzy-set comprehensive evaluation theory is demonstrated in this paper to obtain the aim of quantitatively assessing security risk.The security risk is evaluated by making the fuzzy matrix for security risk and addressing risk factor set,security risk indicator sets and the weigh coefficient of security risk factors and applied to the railway passenger ticket system.The security targets provided by the railway passenger ticket system consist of system security,availability,identification authenticity and transaction reliability in order to protect the physical assets and information assets in face of the threats which come from system itself,personnel, environmental and natural disasters.The proposed model for security risk evaluation is used to calculate the security severity of Web server for the system.The numeric results for security risk also provide a method to decide the most critical component of the system which should arouse the system administrator enough attention to take the appropriate technical or administrative security measure or controls to enhance the security of the system.