earticle

논문검색

A Scenario-Based Information Security Risk Evaluation Method

원문정보

Xiaofang Ban, Xin Tong

보안공학연구지원센터(IJSIA) International Journal of Security and Its Applications Vol.8 No.5 2014.09 pp.21-30
피인용수 : 0(자료제공 : 네이버학술정보)

초록

영어

Risk evaluation is the core process of information security risk management. An effective risk evaluation can protect organizations and maintain their abilities to carry out missions and activities against threats as well as helping to implement controls and safeguards that are actually needed. While the traditional information security risk evaluation approaches are lack of granular analysis and clear expression of security characteristics of risk, such as the possibility, attack path, and business impact. This paper presents the scenario-based information security risk evaluation method, based on the thought of Advanced Persistent Threat (APT) attack, by constructing risk scenario, evaluate information system security risk status. The separation analysis of the technical impact and business impact contribute to the technicians and business decision makers to grasp system risk status from their respective responsibilities. In the end of the paper, we propose a practical risk scenario construction example, which provides scientific and effective guidance for the preparation of a risk evaluation report.

목차

Abstract
 1. Introduction
 2. Scenario-based Information Security Risk Evaluation Method
 3. Factors of Constructing the Risk Scenario
  3.1 Time Factor
  3.2 Location Factor
  3.3 Threat Source Factor
  3.4 Threat Means Factor
  3.5 Vulnerability Factor
  3.6 Possibility Factor
  3.7 Impact Factor
 4. Method for Information Security Risk Integration
  4.1. Risk Scenarios Integration between Similar System Components
  4.2. Risk Scenarios Integration between System Components
  4.3. Risk Scenarios Integration between Information Systems
  4.4. Inter-Institution Risk Scenarios Integration
 5. Risk Scenario Constructing Example
 6. Conclusions
 Acknowledgements
 References

키워드

저자정보

  • Xiaofang Ban China Information Technology Security Evaluation Center Beijing, China
  • Xin Tong China Information Technology Security Evaluation Center Beijing, China

참고문헌

자료제공 : 네이버학술정보

    함께 이용한 논문

      ※ 원문제공기관과의 협약기간이 종료되어 열람이 제한될 수 있습니다.

      0개의 논문이 장바구니에 담겼습니다.