一种信息安全价值评估系统的设计与实现
|
摘要
信息社会的到来给人类社会的生产、生活带来了巨大的影响,人们对信息的依赖性也愈加强烈,而同时信息安全问题也成为信息基础设施的严峻考验。政府、企业等组织对信息安全工作也越来越重视。然而,信息安全投入的价值如何体现,是信息安全投资决策者关心的问题。现实的状况是:没有一个成熟的、可操作性较强的方法论支持对信息安全投入的价值进行评估。
本文试图找出一个定量的、可操作的、切合实际的模型来衡量信息安全的价值,以衡量信息安全工作成效、辅助决策者进行投资决策。
本文在当前信息安全价值相关理论研究的基础上,将信息安全的价值分为经济价值和非经济价值两种。同时将经济价值划分为风险的降低和成本的节省两部分。本文从企业实践出发,对风险降低分析和成本节省分析都给出了详细的量化过程推导步骤,保证了评估的可信度和可操作性。对于非经济价值,本文设计了切实可行的安全能力问卷、BS7799符合性问卷,以此从正面定量反映组织的信息安全水平。
最后,本文设计了一个实际的系统以辅助信息安全价值评估,它通过Excel收集必要的数据,经过内部计算后,以Word报告反映评估结果。
Information technology has brought great improvement to the whole society. While information is becoming more and more important for people, information infrastructure is facing more and more security threats. Organizations such as governments and companies are paying more attention to information security problems. How to evaluate the value of information security investment is one of the key issues for decision-makers. But currently there is not a mature and maneuverable methodology for decision-makers to evaluate the value of information security investment.
This paper tries to build a quantitative, maneuverable and practical model to evaluate the value of information security investment and the effectiveness of information security work, helping decision-makers to do a proper investment decision.
Based on the information security value related theories, this paper divides the value of information security investment into two parts: economic part and non-economic part. And also the economic part is divided into two parts: risk mitigated and cost savings. Based on the best practice of a large IT company, this paper gives the detail steps of analyzing the risk mitigated and cost savings. And these steps can guarantee the maneuverability and reliability of the whole evaluating process. For the non-economic part, this paper designs practical security capability questionnaires and BS7799 compliance questionnaire. Answers to these questionnaires can reflect the information security level of an organization.
Besides the theoretical methodology and operation procedure, a real system is also build for administrators to evaluate the value of security investment. It collects data in the form of Excel and gives the final Word report of the calculated results.
本文试图找出一个定量的、可操作的、切合实际的模型来衡量信息安全的价值,以衡量信息安全工作成效、辅助决策者进行投资决策。
本文在当前信息安全价值相关理论研究的基础上,将信息安全的价值分为经济价值和非经济价值两种。同时将经济价值划分为风险的降低和成本的节省两部分。本文从企业实践出发,对风险降低分析和成本节省分析都给出了详细的量化过程推导步骤,保证了评估的可信度和可操作性。对于非经济价值,本文设计了切实可行的安全能力问卷、BS7799符合性问卷,以此从正面定量反映组织的信息安全水平。
最后,本文设计了一个实际的系统以辅助信息安全价值评估,它通过Excel收集必要的数据,经过内部计算后,以Word报告反映评估结果。
Information technology has brought great improvement to the whole society. While information is becoming more and more important for people, information infrastructure is facing more and more security threats. Organizations such as governments and companies are paying more attention to information security problems. How to evaluate the value of information security investment is one of the key issues for decision-makers. But currently there is not a mature and maneuverable methodology for decision-makers to evaluate the value of information security investment.
This paper tries to build a quantitative, maneuverable and practical model to evaluate the value of information security investment and the effectiveness of information security work, helping decision-makers to do a proper investment decision.
Based on the information security value related theories, this paper divides the value of information security investment into two parts: economic part and non-economic part. And also the economic part is divided into two parts: risk mitigated and cost savings. Based on the best practice of a large IT company, this paper gives the detail steps of analyzing the risk mitigated and cost savings. And these steps can guarantee the maneuverability and reliability of the whole evaluating process. For the non-economic part, this paper designs practical security capability questionnaires and BS7799 compliance questionnaire. Answers to these questionnaires can reflect the information security level of an organization.
Besides the theoretical methodology and operation procedure, a real system is also build for administrators to evaluate the value of security investment. It collects data in the form of Excel and gives the final Word report of the calculated results.
引文
[1]中国互联网络信息中心(CNNIC)中国互联网发展状况报告2007年7月http://www.cnnic.net.cn/uploadfiles/pdf/2007/7/18/113918.pdf
[2]北京瑞星科技股份有限公司2007上半年中国大陆地区电脑病毒疫情&互联网安全报告 http://download.rising.com.cn/for_down/2007/annual.pdf
[3]Department of Trade and Industry,UK DTI Information Security Breaches Survey 2006 http://www.enisa.europa.eu/doc/pdf/studies/dtiisbs2006.pdf
[4]国家计算机网络应急技术处理协调中心(CNCERT/CC)2006年网络安全工作报告 http://www.cert.org.cn/UserFiles/File/2006CNCERTCCAnnualReport_Chinese.pdf
[5]Gordon,L.,and Loeb,M.The economics of information security investment.ACM Trans,Inf.Syst.Sec.5,4(2002),438-457.
[6]Lawrence A.Gordon and Martin P.Loeb Budgeting Process for Information Security Expenditures COMMUNICATIONS OF THE ACM January 2006/Vol.49,No.1 121-125
[7]邹媚,彭晓炎NPV法和实物期权法在投资决策中的应用比较 华北水利水电学院学报(社科版)第23卷第5期2007年10月52-55
[8]黄佑军 关于项目投资评估中IRR法及其延伸方法的探讨会计之友(下)2006年第3期 75-76
[9]Ashish Arora,Dennis Hall,C.Ariel Pinto etc.Measuring the Risk-Based Value of IT Security Solutions IT Pro of IEEE November & December 200435-42
[10]牛旭明,李智勇,桂坚勇等 信息安全风险评估中的关键技术信息安全与通信保密 2007年04期17-20
[11]王桢珍,谢永强,武晓悦等 信息安全风险管理研究信息安全与通信保密2007年08期 162-164
[12]陈鋉,胡作进,蔡淑珍 信息系统安全风险评估模型研究 计算机应用与软件2007年06期 73-75
[13]杨继华信息安全风险评估模型及方法研究[学位论文]西安 西安电子科技大学 2007
[14]洪焕健,郑建华 简介BS7799信息安全管理标准 信息网络与安全 2005年09期17-18
[15]罗思ISO/IEC27001信息安全管理体系标准浅析 中国标准化2007年04期第21页
[16]郑鑫 简介国际信息安全管理度量标准 信息网络安全 2007年01期18-19
[17]束红,苏国平,费翔 信息安全相关标准的分析与研究 网络安全技术与应用2005年03期 62-63
[18]于慧龙 信息安全管理标准BS7799及其应用 信息网络安全 2002年02期45-46
[19]Steve Foster and Bob Pacl Analysis of Return on Investment for Informat ion Security http://www.getronics.com/NR/rdonlyres/ejhsokxgywr3iom4mn4v q43173fmqzsqbsnz47jd2thnvawjlceksww2zuu3yd33tnybjcjmjbtbmyfyxa2r4nhpur e/wp_analysis_return_on_investment.pdf
[2]北京瑞星科技股份有限公司2007上半年中国大陆地区电脑病毒疫情&互联网安全报告 http://download.rising.com.cn/for_down/2007/annual.pdf
[3]Department of Trade and Industry,UK DTI Information Security Breaches Survey 2006 http://www.enisa.europa.eu/doc/pdf/studies/dtiisbs2006.pdf
[4]国家计算机网络应急技术处理协调中心(CNCERT/CC)2006年网络安全工作报告 http://www.cert.org.cn/UserFiles/File/2006CNCERTCCAnnualReport_Chinese.pdf
[5]Gordon,L.,and Loeb,M.The economics of information security investment.ACM Trans,Inf.Syst.Sec.5,4(2002),438-457.
[6]Lawrence A.Gordon and Martin P.Loeb Budgeting Process for Information Security Expenditures COMMUNICATIONS OF THE ACM January 2006/Vol.49,No.1 121-125
[7]邹媚,彭晓炎NPV法和实物期权法在投资决策中的应用比较 华北水利水电学院学报(社科版)第23卷第5期2007年10月52-55
[8]黄佑军 关于项目投资评估中IRR法及其延伸方法的探讨会计之友(下)2006年第3期 75-76
[9]Ashish Arora,Dennis Hall,C.Ariel Pinto etc.Measuring the Risk-Based Value of IT Security Solutions IT Pro of IEEE November & December 200435-42
[10]牛旭明,李智勇,桂坚勇等 信息安全风险评估中的关键技术信息安全与通信保密 2007年04期17-20
[11]王桢珍,谢永强,武晓悦等 信息安全风险管理研究信息安全与通信保密2007年08期 162-164
[12]陈鋉,胡作进,蔡淑珍 信息系统安全风险评估模型研究 计算机应用与软件2007年06期 73-75
[13]杨继华信息安全风险评估模型及方法研究[学位论文]西安 西安电子科技大学 2007
[14]洪焕健,郑建华 简介BS7799信息安全管理标准 信息网络与安全 2005年09期17-18
[15]罗思ISO/IEC27001信息安全管理体系标准浅析 中国标准化2007年04期第21页
[16]郑鑫 简介国际信息安全管理度量标准 信息网络安全 2007年01期18-19
[17]束红,苏国平,费翔 信息安全相关标准的分析与研究 网络安全技术与应用2005年03期 62-63
[18]于慧龙 信息安全管理标准BS7799及其应用 信息网络安全 2002年02期45-46
[19]Steve Foster and Bob Pacl Analysis of Return on Investment for Informat ion Security http://www.getronics.com/NR/rdonlyres/ejhsokxgywr3iom4mn4v q43173fmqzsqbsnz47jd2thnvawjlceksww2zuu3yd33tnybjcjmjbtbmyfyxa2r4nhpur e/wp_analysis_return_on_investment.pdf