影响网络信息安全的组织因素分析
|
摘要
随着计算机网络技术的日益更新,社会信息化程度的不断提高,网络信息业已成为社会经济发展和人们日常生活中不可或缺的工具。网络信息系统在各类组织中得到了广泛的应用,使得许多组织对网络信息的依赖性不断增强。然而,网络信息安全问题也日益尖锐。国内外大量文献研究发现,技术失误和人因失误不再是导致网络信息安全问题发生的最终答案,组织因素对网络信息系统这一复杂人机系统的安全影响重大。
本文从组织层面对可能引发网络信息安全问题的因素进行了探讨,运用问卷调查采集数据,使用探索性因子分析对组织因素进行识别,并应用验证性因子分析方法,建构并验证识别的组织因素。全文的研究共分为三部分:理论部分、实证研究部分和结论与展望部分。
在理论部分,一方面分析、归纳了网络信息安全基本特征及目标,综合分析了国内外学术界对网络信息安全的研究现状。另一方面,也对国内外现有组织因素分类进行了归类描述。在此基础上,结合网络信息安全的特点目标,对影响网络信息安全的组织因素进行分类分析。
在实证部分,首先采用探索性因子分析方法分析预试调查问卷采集的数据,对理论部分建立的组织因素分类进行识别;然后基于识别的组织因素设计正式调查问卷,并对收集的数据应用验证性因子分析方法对组织因素分类模型进行验证解释。
在结论与展望部分,列出了研究的主要成果,并对进一步研究要解决的问题进行了说明。
With sustainable development of the computer network technology, and ceaseless rising of society infomationization, as to the development of society economic and the daily life of people, network information already becomes the indispensable implement. The use of network information system is widly in variety organizations, so the dependence on information system is instantly rising. Nevertheless, the safe problem of network information is also gradually sharp. Large amount of domestic and foreign literature have discovered, the technology fault and human error are not the ultimate answer which leading to the safe problem of network information no longer, because of organizational factor significantly affects security of the network information system which is the complicated man-machine system.
This paper explores organizational factor which possibly trigger the problem of network information security. By collecting data from questionnaire survey, adopting exploratory factor analysis to discriminate the organizational factor, and useing structural equation modeling cofirme these factors. The research was divided into three parts:theory part, positivist research part and conclusion&expectation part.
In theory part, this paper analyses and concludes the character and the aim of network information security, also analyses it's current situation in domestic and foreign. Otherwise, Through classifying, describing the present organizational factors in domestic and foreign, combining the character and aim of network information security to builds an organizational classifying system which influence network information security.
In positivist research part, firstly, this paper adopt exploratory factor analysis analyse the data from preliminary investigation, to indentify and classify the organizational factor based on theory part and form the formal questionnaire survey, then confirm and explain the orgnizational factor and it's classified model by confirmatory factor analysis.
In conclusion&expectation part, this paper concludes the main research result and presents the contents of next research.
本文从组织层面对可能引发网络信息安全问题的因素进行了探讨,运用问卷调查采集数据,使用探索性因子分析对组织因素进行识别,并应用验证性因子分析方法,建构并验证识别的组织因素。全文的研究共分为三部分:理论部分、实证研究部分和结论与展望部分。
在理论部分,一方面分析、归纳了网络信息安全基本特征及目标,综合分析了国内外学术界对网络信息安全的研究现状。另一方面,也对国内外现有组织因素分类进行了归类描述。在此基础上,结合网络信息安全的特点目标,对影响网络信息安全的组织因素进行分类分析。
在实证部分,首先采用探索性因子分析方法分析预试调查问卷采集的数据,对理论部分建立的组织因素分类进行识别;然后基于识别的组织因素设计正式调查问卷,并对收集的数据应用验证性因子分析方法对组织因素分类模型进行验证解释。
在结论与展望部分,列出了研究的主要成果,并对进一步研究要解决的问题进行了说明。
With sustainable development of the computer network technology, and ceaseless rising of society infomationization, as to the development of society economic and the daily life of people, network information already becomes the indispensable implement. The use of network information system is widly in variety organizations, so the dependence on information system is instantly rising. Nevertheless, the safe problem of network information is also gradually sharp. Large amount of domestic and foreign literature have discovered, the technology fault and human error are not the ultimate answer which leading to the safe problem of network information no longer, because of organizational factor significantly affects security of the network information system which is the complicated man-machine system.
This paper explores organizational factor which possibly trigger the problem of network information security. By collecting data from questionnaire survey, adopting exploratory factor analysis to discriminate the organizational factor, and useing structural equation modeling cofirme these factors. The research was divided into three parts:theory part, positivist research part and conclusion&expectation part.
In theory part, this paper analyses and concludes the character and the aim of network information security, also analyses it's current situation in domestic and foreign. Otherwise, Through classifying, describing the present organizational factors in domestic and foreign, combining the character and aim of network information security to builds an organizational classifying system which influence network information security.
In positivist research part, firstly, this paper adopt exploratory factor analysis analyse the data from preliminary investigation, to indentify and classify the organizational factor based on theory part and form the formal questionnaire survey, then confirm and explain the orgnizational factor and it's classified model by confirmatory factor analysis.
In conclusion&expectation part, this paper concludes the main research result and presents the contents of next research.
引文
[1]魏倩.基于模糊层次分析法的网络信息安全评价研究[D].吉林:吉林大学,2008.
[2]杨旭.计算机网络信息安全技术研究[D].南京理工大学,2008.
[3]王以群,李鹏程,张力.网络信息安全中的人因失误分析[J].情报科学,2007,25(11):1706-1710.
[4]杨月江,刘士杰,耿子林.网络安全管理的分析与研究[J].商场现代化,2008,1:181.
[5]何德全.互联网时代信息安全的新思维[J].科学中国人,2003,10(1):14-15.
[6]张力,王以群,邓志良.复杂人——机系统中的人因失误[J].安全科学学报,1996,6(6):34-38.
[7]Dr Eugene Schultz. The human factor in security[J]. Computers&Security, 2005(24):425-426.
[8]Charles Cresson Wood, William W, Banks Jr. Human error:an overlooked but significant information security problem[J]. Computers&Security,1993(12): 51-60.
[9]Martin Bean. Human error at the center of IT Security Breaches[OL]. [2009-08-10]. http://www.newhorizons.com/elevate/Network%20Defense%20Contributed%20A rticle.pdf.
[10]Identification and assessment of organizational factors related to the safety of NPPs[R]. NEA/CSNI/R(98)17/VOL1,1999.
[11]Wagenaar W A, et al.Safety management in intensive care wards[A].Wilpert B, Qvale T U.Reliability and safety in hazardous work system[C]. UK, Hove: Lawrence Erlbaum Associates,1993:157-169.
[12]刘绘珍.影响复杂人机系统安全的组织因素分析[D].衡阳:南华大学,2007.
[13]Bell L, Padula L. Secure computing systems:Mathematicalfoundation and model[R]. MITRE Report,1973(2).
[14]Reason J. Managing the risks of organizational accidents[M]. Aldershot:4shgate Pulp Ltd,1997:11-45.
[15]Maxion R A, Reeder R W. Imp roving user-interf ace dependability through mitigation of human error[J]. International Journal of Human-Computer Studies, 2005,63(7):25-50.
[16]Johnston J, Eloff J H P, Labuschagne L. Security and human computer interfaces[J]. Computers & Security,2003,22(12):675-684.
[17]Vroom C, von Solms R. Towards information security behavioural compliance [J]. Computers & Security,2004,23(5):191-198.
[18]Wood C C. The human immune system as an information systems security reference mode[J]. Computers & Security,1987,6(12):511-516.
[19]Schumacher H J, Ghosh S. A fundamental framework for network security[J]. Journal of Network and Computer Applications,1997,20(7):305-322.
[20]H. J. Schumacher and Sumit Ghosh. A fundamental framework for network security[J]. Journal of Network and Computer Applications,1997,20:305-332.
[21]孙强.信息安全的纵深防御体系——人力防火墙[EB/OL].(2005-09-24)[2009-08-23].http://publish.it168.com/2004/0616/20040616002001.shtml.
[22]Ross Anderson. Why Cryptosystems Fail[J]. Communications of the ACM.1994, 37(11):32-40.
[23]Gordon, Sarah, Ford, Richard. Real world anti-virus product reviews and evaluations-Part 1. Network Security,2002.
[24]刘绘珍,张力,王以群.人因失误原因因素控制模型及屏障分析[J].工业工程,2007,10(6):13-17.
[25]刘绘珍,张力,张玉玲,等.影响系统安全的组织因素分类分析[J].核动力工程,2009,30(4):59-63.
[26]Reason J. Human Error[M]. New York:Cambridge University Press,1990: 20-35.
[27]IAEA. Organizational factors influencing human performance in nuclear power plants[R]. IAEA-TECDOC-943, INIS Clearinghouse of IAEA, Vienna,1995.
[28]Jacobs R, Haber S. Organizational processes and nuclear power plant safety[J]. Reliability Engineering and System Safety,1994,45:75-83.
[29]Atomic Engergy Control Board. Research Seneinar:AECB Organization and Management Assessment Research project[Z]. Ottawa,17 DIc.1997/98.
[30]ETF/PWG No.1. Organizational factors-identification and assessment(NEA/ CSNI/R(98)17)[Z].Issy-les-Moulineaux:OECD/NEA,1998.
[31]Hurst, N. W., Bellamy, L. J.& Geyer, T. A. W. Oganizational, management and human factors in quantified risk assessment[A]. A Theoretical and Empirical Basis for Modification of Risk Estimates[C]. London:Elsevier,1990:70-79.
[32]Rollenhagen, C. A framework for assessment of organizational characteristics and their influences on safety[J]. Safety Science Monitar,2000,4(1):1-16.
[33]Dien, Y., Llory M.,&Montmayeul, R. Organisational accidents investigation methodology and lessons learned[J]. Journal of Hazardous Materials,2004, 111(1-3),147-153.
[34]INSAG. Safety culture[R]. Safety Series No.75-INSAG-4, International Atomic Energy Agency, Vienna,1991.
[35]Lee, T. Assessment of safety culture at a nuclear reprocessing plant[J]. Work Stress,1998,12(3):217-237.
[36]张力,章逸民,吴当时,等.核电厂人因及组织行政管理安全审查体系[J].中国安全科学学报,2003,13(6):4-7.
[37]李永娟,王二平,李锋,等.核电组织错误的表现与类型[J].核动力工程,2003,24(4):380-383.
[38]Wood C C, Banks W W, Jr. Human error:An overlooked but significant information security problem[J]. Computers & Security,1993,12(1):51-60.
[39]Kim J. W, Jung W. A taxonomy of performance influencing factors for human reliability analysis of emergency tasks[J]. Loss Prevention,2003,16(6):479-495.
[40]Gordon, R. P. E. The contribution of human factors to accidents in the offshore oil industry[J]. Reliability Engineering and System Safety,1998,61:95-108.
[41]Scott A. Shappell, Douglas A. Wiegmann. The Human Factors Analysis and Classification System-HFACS[R]. DOT/FAA/AM-00/7. Office of Aviation Medicine Washington, DC 20591,2000.
[42]Terry L. von Thaden, Douglas A. Wiegmann, Scott A.Shappell. Measuring Organizational Factors in Airline Safety[R]. AHFD-03-11/FAA-03-3, University of Illinois at Urbana-Champaign 1 Airport Road Savoy, Illinois 61874,2004.
[43]van Vuuren W. Oganizational failure:lessons from industry applied in the medical domain[J]. Safety Science,1999,33(1-2):13-29.
[44]Chang Y. H. J, Mosleh. A. Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 4:IDAC causal model of operator problem-solving response[J]. Reliability Engineering and System Safety,2007,92(8):1061-1075.
[45]彭澎,黄曙东.组织管理因素对人因事故的作用与影响[J].人类工效学,2001,7(2):53-57.
[46]张力.概率安全与人因可靠性分析技术[M].北京:原子能出版社,2006:10-80.
[47]郑海航.企业组织论[M].北京:经济管理出版社,2004:10-110.
[48]WANO. Guidelines for the Organization and Administration of Nuclear Power Plants[M]. June 2001:5-60.
[49]田丽.网络环境下企业信息安全管理组织机构设计[J].东北财经大学学报,2008,57:70-72.
[50]廉士乾.组织因素影响下的人因可靠性分析研究[D].衡阳:南华大学,2008.
[51]李永娟,王二平.组织错误的研究[J].人类工效学,2001,7(3):48-50.
[52]唐枫.倡导安全文化提高安全管理[J].工业安全与防尘,2001,(1).
[53]培养安全文化,确保煤矿安全[N].参考消息,2005-08-25.
[54]张卫清,王以群.网络安全与网络文化[J].情报杂志,2006年第1期:49-51.
[55]胡泉军.信息安全管理中的组织管理失误[D].衡阳:南华大学,2009.
[56]宋洪涛.考虑组织管理因素整体影响的人因可靠性分析方法研究[D].衡阳:南华大学,2008.
[57]柳恒超.结构方程模型应用中模型选择的原理和方法[J].心理学探新,2007.1:75-78
[58]荣泰生.AMOS与研究方法[M].重庆:重庆大学出版社,2009:1-50.
[2]杨旭.计算机网络信息安全技术研究[D].南京理工大学,2008.
[3]王以群,李鹏程,张力.网络信息安全中的人因失误分析[J].情报科学,2007,25(11):1706-1710.
[4]杨月江,刘士杰,耿子林.网络安全管理的分析与研究[J].商场现代化,2008,1:181.
[5]何德全.互联网时代信息安全的新思维[J].科学中国人,2003,10(1):14-15.
[6]张力,王以群,邓志良.复杂人——机系统中的人因失误[J].安全科学学报,1996,6(6):34-38.
[7]Dr Eugene Schultz. The human factor in security[J]. Computers&Security, 2005(24):425-426.
[8]Charles Cresson Wood, William W, Banks Jr. Human error:an overlooked but significant information security problem[J]. Computers&Security,1993(12): 51-60.
[9]Martin Bean. Human error at the center of IT Security Breaches[OL]. [2009-08-10]. http://www.newhorizons.com/elevate/Network%20Defense%20Contributed%20A rticle.pdf.
[10]Identification and assessment of organizational factors related to the safety of NPPs[R]. NEA/CSNI/R(98)17/VOL1,1999.
[11]Wagenaar W A, et al.Safety management in intensive care wards[A].Wilpert B, Qvale T U.Reliability and safety in hazardous work system[C]. UK, Hove: Lawrence Erlbaum Associates,1993:157-169.
[12]刘绘珍.影响复杂人机系统安全的组织因素分析[D].衡阳:南华大学,2007.
[13]Bell L, Padula L. Secure computing systems:Mathematicalfoundation and model[R]. MITRE Report,1973(2).
[14]Reason J. Managing the risks of organizational accidents[M]. Aldershot:4shgate Pulp Ltd,1997:11-45.
[15]Maxion R A, Reeder R W. Imp roving user-interf ace dependability through mitigation of human error[J]. International Journal of Human-Computer Studies, 2005,63(7):25-50.
[16]Johnston J, Eloff J H P, Labuschagne L. Security and human computer interfaces[J]. Computers & Security,2003,22(12):675-684.
[17]Vroom C, von Solms R. Towards information security behavioural compliance [J]. Computers & Security,2004,23(5):191-198.
[18]Wood C C. The human immune system as an information systems security reference mode[J]. Computers & Security,1987,6(12):511-516.
[19]Schumacher H J, Ghosh S. A fundamental framework for network security[J]. Journal of Network and Computer Applications,1997,20(7):305-322.
[20]H. J. Schumacher and Sumit Ghosh. A fundamental framework for network security[J]. Journal of Network and Computer Applications,1997,20:305-332.
[21]孙强.信息安全的纵深防御体系——人力防火墙[EB/OL].(2005-09-24)[2009-08-23].http://publish.it168.com/2004/0616/20040616002001.shtml.
[22]Ross Anderson. Why Cryptosystems Fail[J]. Communications of the ACM.1994, 37(11):32-40.
[23]Gordon, Sarah, Ford, Richard. Real world anti-virus product reviews and evaluations-Part 1. Network Security,2002.
[24]刘绘珍,张力,王以群.人因失误原因因素控制模型及屏障分析[J].工业工程,2007,10(6):13-17.
[25]刘绘珍,张力,张玉玲,等.影响系统安全的组织因素分类分析[J].核动力工程,2009,30(4):59-63.
[26]Reason J. Human Error[M]. New York:Cambridge University Press,1990: 20-35.
[27]IAEA. Organizational factors influencing human performance in nuclear power plants[R]. IAEA-TECDOC-943, INIS Clearinghouse of IAEA, Vienna,1995.
[28]Jacobs R, Haber S. Organizational processes and nuclear power plant safety[J]. Reliability Engineering and System Safety,1994,45:75-83.
[29]Atomic Engergy Control Board. Research Seneinar:AECB Organization and Management Assessment Research project[Z]. Ottawa,17 DIc.1997/98.
[30]ETF/PWG No.1. Organizational factors-identification and assessment(NEA/ CSNI/R(98)17)[Z].Issy-les-Moulineaux:OECD/NEA,1998.
[31]Hurst, N. W., Bellamy, L. J.& Geyer, T. A. W. Oganizational, management and human factors in quantified risk assessment[A]. A Theoretical and Empirical Basis for Modification of Risk Estimates[C]. London:Elsevier,1990:70-79.
[32]Rollenhagen, C. A framework for assessment of organizational characteristics and their influences on safety[J]. Safety Science Monitar,2000,4(1):1-16.
[33]Dien, Y., Llory M.,&Montmayeul, R. Organisational accidents investigation methodology and lessons learned[J]. Journal of Hazardous Materials,2004, 111(1-3),147-153.
[34]INSAG. Safety culture[R]. Safety Series No.75-INSAG-4, International Atomic Energy Agency, Vienna,1991.
[35]Lee, T. Assessment of safety culture at a nuclear reprocessing plant[J]. Work Stress,1998,12(3):217-237.
[36]张力,章逸民,吴当时,等.核电厂人因及组织行政管理安全审查体系[J].中国安全科学学报,2003,13(6):4-7.
[37]李永娟,王二平,李锋,等.核电组织错误的表现与类型[J].核动力工程,2003,24(4):380-383.
[38]Wood C C, Banks W W, Jr. Human error:An overlooked but significant information security problem[J]. Computers & Security,1993,12(1):51-60.
[39]Kim J. W, Jung W. A taxonomy of performance influencing factors for human reliability analysis of emergency tasks[J]. Loss Prevention,2003,16(6):479-495.
[40]Gordon, R. P. E. The contribution of human factors to accidents in the offshore oil industry[J]. Reliability Engineering and System Safety,1998,61:95-108.
[41]Scott A. Shappell, Douglas A. Wiegmann. The Human Factors Analysis and Classification System-HFACS[R]. DOT/FAA/AM-00/7. Office of Aviation Medicine Washington, DC 20591,2000.
[42]Terry L. von Thaden, Douglas A. Wiegmann, Scott A.Shappell. Measuring Organizational Factors in Airline Safety[R]. AHFD-03-11/FAA-03-3, University of Illinois at Urbana-Champaign 1 Airport Road Savoy, Illinois 61874,2004.
[43]van Vuuren W. Oganizational failure:lessons from industry applied in the medical domain[J]. Safety Science,1999,33(1-2):13-29.
[44]Chang Y. H. J, Mosleh. A. Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 4:IDAC causal model of operator problem-solving response[J]. Reliability Engineering and System Safety,2007,92(8):1061-1075.
[45]彭澎,黄曙东.组织管理因素对人因事故的作用与影响[J].人类工效学,2001,7(2):53-57.
[46]张力.概率安全与人因可靠性分析技术[M].北京:原子能出版社,2006:10-80.
[47]郑海航.企业组织论[M].北京:经济管理出版社,2004:10-110.
[48]WANO. Guidelines for the Organization and Administration of Nuclear Power Plants[M]. June 2001:5-60.
[49]田丽.网络环境下企业信息安全管理组织机构设计[J].东北财经大学学报,2008,57:70-72.
[50]廉士乾.组织因素影响下的人因可靠性分析研究[D].衡阳:南华大学,2008.
[51]李永娟,王二平.组织错误的研究[J].人类工效学,2001,7(3):48-50.
[52]唐枫.倡导安全文化提高安全管理[J].工业安全与防尘,2001,(1).
[53]培养安全文化,确保煤矿安全[N].参考消息,2005-08-25.
[54]张卫清,王以群.网络安全与网络文化[J].情报杂志,2006年第1期:49-51.
[55]胡泉军.信息安全管理中的组织管理失误[D].衡阳:南华大学,2009.
[56]宋洪涛.考虑组织管理因素整体影响的人因可靠性分析方法研究[D].衡阳:南华大学,2008.
[57]柳恒超.结构方程模型应用中模型选择的原理和方法[J].心理学探新,2007.1:75-78
[58]荣泰生.AMOS与研究方法[M].重庆:重庆大学出版社,2009:1-50.