| 基于等级保护思想的网络安全风险评估关键技术研究 |
| |
| 引用本文: | 张彦,马延妮,司群. 基于等级保护思想的网络安全风险评估关键技术研究[J]. 铁路计算机应用, 2020, 29(8): 28-32 |
| |
| 作者姓名: | 张彦 马延妮 司群 |
| |
| 作者单位: | 中国铁道科学研究院集团有限公司 电子计算技术研究所, 北京 100081 |
| |
| 基金项目: | 中国国家铁路集团有限公司科技研究开发计划课题(K2018S002) |
| |
| 摘 要: | 研究提出一种基于等级保护思想的网络安全风险评估模型,解决等级测评之后对系统整体安全状况进行风险分析和评估的问题。通过分析等级保护和风险评估的异同,给出二者之间的关联关系;通过对资产、脆弱性、威胁3要素的识别及其赋值进行深入研究,提出三维度资产赋值法、脆弱性CVSS计算法,威胁发生频率和影响权重古林计算法,并构造安全风险象限图,根据安全事件在象限图中的落点位置,评估安全风险严重程度。研究成果有助于企事业单位在开展网络安全实际工作时实现等级保护测评和风险评估的有机结合。
|
| 关 键 词: | 风险评估 等级保护 模型 |
| 收稿时间: | 2020-03-30 |
Research on key technology of security risk assessment based on classified cybersecurity protection idea |
| |
| Affiliation: | Institute of Computing Technologies, China Academy of Railways Sciences Corporation Limited, Beijing 100081, China |
| |
| Abstract: | This paper proposes a cybersecurity risk assessment model based on the idea of classified cybersecurity protection assessment to solve the problem of risk analysis and assessment of the overall security status of the system after classified cybersecurity protection assessment. By analyzing the similarities and differences between classified cybersecurity protection and risk assessment, their correlations are derived. Making an in-depth study on the identification and assignment of the three elements of assets, vulnerability and threat, three-element asset value assignment method, CVSS calculation method of vulnerability assignment, A·J·Klee method of threat frequency and influence weight are proposed. Meanwhile, a quadrant diagram of risk level is constructed, in which the risk severity of a security event can be assessed according to the placement of the incident in the quadrant diagram. The research results are helpful for enterprises to combine classified cybersecurity protection evaluation and risk assessment in actual work. |
| |
| Keywords: | |
|
| 点击此处可从《铁路计算机应用》浏览原始摘要信息 |
|
点击此处可从《铁路计算机应用》下载免费的PDF全文 |
|
