基于业务流程的信息安全风险度量方法研究
|
摘要
信息安全研究和实践是当前的热点问题之一,随着信息安全建设工作的逐渐深入,一个日益突出和重要的问题是“信息安全建设的效果如何,对业务应用究竟有怎样的影响,应该用什么样方法来精确度量”。
本文提出了一种基于业务流程的信息安全风险度量方法,尝试解决信息安全风险评估领域的两个难题:
(1)如何精确度量信息安全风险,使其在一定程度上能直接反映信息安全对业务的影响;(论文中对业务影响的分析仅限定在对业务流程流转周期的影响方面,因为它是体现信息系统能否及时、有效的提供服务,以完成预定的业务目标的重要指标。)
(2)如何有效利用信息安全风险度量结果,在适度安全的理念下,来选择安全措施。
主要研究内容包括:
(1)威胁成功利用脆弱性的递归分析
信息安全风险发生与否取决于威胁对脆弱性的利用情况,为确定威胁与脆弱性之间的复杂关系需解决如下问题:
a、确定威胁利用脆弱性的可能路径,该路径由网络拓扑结构决定;
b、脆弱性之间存在关联关系,本文引入“部件可控制程度和可利用程度”概念递归分析威胁成功利用脆弱性的过程及其结果。
(2)威胁成功利用脆弱性后对业务流程的影响分析
威胁成功利用脆弱性将导致威胁对象(即IT资产,本文称之为威胁路径上的节点)的运行状态发生变化。
业务流程的的基本构成单元是业务活动,不同的节点状态变化将对业务活动状态产生不同的影响。业务活动的状态变化构成一个有限状态机。
本文通过建立节点状态与业务活动有限状态机之间的关系,将威胁成功利用脆弱性后对业务的影响问题,转换为节点状态变化与业务活动有限状态机之间的关系问题。
(3)基于业务流程分析的风险计算
信息安全的宗旨是保障信息系统的正常有效运行(业务处理能力)的实现,而业务流程的流转周期是表征业务处理能力的重要指标。因此,本文尝试将流转周期作为风险影响的度量基准。
业务活动的状态变化是影响流转周期变化的决定性因素,在建立了节点状态与业务活动有限状态机之间的关系之后,以流程流转周期作为业务影响的度量基准,最终将信息安全风险计算问题转换为求解流转周期的变化问题。
(4)基于风险度量的安全策略决策模型
将前文所提出的风险度量方法得到的结果作为安全策略选择的依据,并针对单业务流程应用结构,建立了形式化的安全策略决策模型,确定在可容忍的风险范围内,所需安全策略的最少数量。
(5)对信息安全风险评估的评价方法
信息安全风险评估方式和方法很多,如何评价评估是否适合当前的安全需求?本文对此归纳出评估的构成要素<评估依据、业务关注度、度量方法、评估成果、过程保障>,将其作为信息安全风险评估方法的评价指标。
With the gradual development of the information security research, some prominent and important issues for every information security control include:1) How about the protection strength is?2) How to evaluate influence on business applications?3) How to accurately measure the effect?
An information security risk(ISR) metrics method based on business process is proposed, in order to try to solve two following problems in the ISR assessment field.
(1) How to establish an information security risk metrics way by which the protection effect on business may directly be calculated to some degree.
In this paper, the protection effect on business is focused on business process turnover time which is the important index of business goals with showing the service capability provided by the underpinning information system in time and effectively.
(2) How to effectively exploit the ISR assessment result to choose security policies in an appropriate security degree.
This paper mainly includes:
(1) Recursive analysis on vulnerability exploited successfully by potential attacker
Whether the occurrence of information security risk or not depends on threat's exploitation of vulnerabilities. The following problems should be discussed for the complicated relationship between threat and vulnerability.
a、The possible paths of a given threat agent exercising a potential vulnerability should be calculated by use of the network topology;
b、The process and result of a threat's exercise of vulnerability are researched recursively with introducing two concepts of component controllable degree and available degree.
(2) Impact on business process caused by a threat's utilization of vulnerability
The threat's successful utilization of vulnerability could cause the running state change of the threat target (that is, an IT asset, as called the node of the threat path).
The basic unit of business process is a business activity. The running states of a business activity connected with on the running state of the node constitute a finite state machine.
In this article, the calculation of impact on business caused by a threat's successful utilization of vulnerability is transferred into the research on the relationship between the states of nodes and the states of business activities, by means of establishing states of a node relation with the finite state machine of a business activity.
(3) Risk calculation based on business process
Information security purpose is to ensure safe and effective operation of the business for which the business process turnover time is an important performance index of the business handling capacity. Hence, the business process turnover time is regarded as a metrics base of the risk influence.
The state change of business activity is the critical factor which causes the change of the business process turnover time. With establishing the relation between the node states and the finite state machine of business activity, the ISA calculation eventually is converted to solve the change of the process turnover time.
(4) Security policy decision model based on risk metrics
A formal security policy decision model is established for the single business process by regarding the measurement result of the proposed ISA metrics method as decision standard for security policy. Within a given residual risk value, the minimum number of security policies required could be calculated.
(5) Evaluation Method for information security evaluation
How to evaluate the suitability for the current security requirements while to be confronted with numerous information security evaluation methods and modes? Five factors of evaluation standard, business concern degree, metrics base, evaluation result and procedure assurance are considered as evaluation indices for the information security evaluation method.
本文提出了一种基于业务流程的信息安全风险度量方法,尝试解决信息安全风险评估领域的两个难题:
(1)如何精确度量信息安全风险,使其在一定程度上能直接反映信息安全对业务的影响;(论文中对业务影响的分析仅限定在对业务流程流转周期的影响方面,因为它是体现信息系统能否及时、有效的提供服务,以完成预定的业务目标的重要指标。)
(2)如何有效利用信息安全风险度量结果,在适度安全的理念下,来选择安全措施。
主要研究内容包括:
(1)威胁成功利用脆弱性的递归分析
信息安全风险发生与否取决于威胁对脆弱性的利用情况,为确定威胁与脆弱性之间的复杂关系需解决如下问题:
a、确定威胁利用脆弱性的可能路径,该路径由网络拓扑结构决定;
b、脆弱性之间存在关联关系,本文引入“部件可控制程度和可利用程度”概念递归分析威胁成功利用脆弱性的过程及其结果。
(2)威胁成功利用脆弱性后对业务流程的影响分析
威胁成功利用脆弱性将导致威胁对象(即IT资产,本文称之为威胁路径上的节点)的运行状态发生变化。
业务流程的的基本构成单元是业务活动,不同的节点状态变化将对业务活动状态产生不同的影响。业务活动的状态变化构成一个有限状态机。
本文通过建立节点状态与业务活动有限状态机之间的关系,将威胁成功利用脆弱性后对业务的影响问题,转换为节点状态变化与业务活动有限状态机之间的关系问题。
(3)基于业务流程分析的风险计算
信息安全的宗旨是保障信息系统的正常有效运行(业务处理能力)的实现,而业务流程的流转周期是表征业务处理能力的重要指标。因此,本文尝试将流转周期作为风险影响的度量基准。
业务活动的状态变化是影响流转周期变化的决定性因素,在建立了节点状态与业务活动有限状态机之间的关系之后,以流程流转周期作为业务影响的度量基准,最终将信息安全风险计算问题转换为求解流转周期的变化问题。
(4)基于风险度量的安全策略决策模型
将前文所提出的风险度量方法得到的结果作为安全策略选择的依据,并针对单业务流程应用结构,建立了形式化的安全策略决策模型,确定在可容忍的风险范围内,所需安全策略的最少数量。
(5)对信息安全风险评估的评价方法
信息安全风险评估方式和方法很多,如何评价评估是否适合当前的安全需求?本文对此归纳出评估的构成要素<评估依据、业务关注度、度量方法、评估成果、过程保障>,将其作为信息安全风险评估方法的评价指标。
With the gradual development of the information security research, some prominent and important issues for every information security control include:1) How about the protection strength is?2) How to evaluate influence on business applications?3) How to accurately measure the effect?
An information security risk(ISR) metrics method based on business process is proposed, in order to try to solve two following problems in the ISR assessment field.
(1) How to establish an information security risk metrics way by which the protection effect on business may directly be calculated to some degree.
In this paper, the protection effect on business is focused on business process turnover time which is the important index of business goals with showing the service capability provided by the underpinning information system in time and effectively.
(2) How to effectively exploit the ISR assessment result to choose security policies in an appropriate security degree.
This paper mainly includes:
(1) Recursive analysis on vulnerability exploited successfully by potential attacker
Whether the occurrence of information security risk or not depends on threat's exploitation of vulnerabilities. The following problems should be discussed for the complicated relationship between threat and vulnerability.
a、The possible paths of a given threat agent exercising a potential vulnerability should be calculated by use of the network topology;
b、The process and result of a threat's exercise of vulnerability are researched recursively with introducing two concepts of component controllable degree and available degree.
(2) Impact on business process caused by a threat's utilization of vulnerability
The threat's successful utilization of vulnerability could cause the running state change of the threat target (that is, an IT asset, as called the node of the threat path).
The basic unit of business process is a business activity. The running states of a business activity connected with on the running state of the node constitute a finite state machine.
In this article, the calculation of impact on business caused by a threat's successful utilization of vulnerability is transferred into the research on the relationship between the states of nodes and the states of business activities, by means of establishing states of a node relation with the finite state machine of a business activity.
(3) Risk calculation based on business process
Information security purpose is to ensure safe and effective operation of the business for which the business process turnover time is an important performance index of the business handling capacity. Hence, the business process turnover time is regarded as a metrics base of the risk influence.
The state change of business activity is the critical factor which causes the change of the business process turnover time. With establishing the relation between the node states and the finite state machine of business activity, the ISA calculation eventually is converted to solve the change of the process turnover time.
(4) Security policy decision model based on risk metrics
A formal security policy decision model is established for the single business process by regarding the measurement result of the proposed ISA metrics method as decision standard for security policy. Within a given residual risk value, the minimum number of security policies required could be calculated.
(5) Evaluation Method for information security evaluation
How to evaluate the suitability for the current security requirements while to be confronted with numerous information security evaluation methods and modes? Five factors of evaluation standard, business concern degree, metrics base, evaluation result and procedure assurance are considered as evaluation indices for the information security evaluation method.
引文
[1]Information Technology-Service management.partl,ISO20000-2005.
[2]Control Objectives for Information and related Technology (COBIT,即信息系统和技术控制目标,美国信息系统审计与控制协会(ISACA),vol.4.1,2007.5.
[3]TCSEC-Trusted Computer System Evaluation Criteria, DoD,1983.
[4]关于信息安全等级保护工作的实施意见.(公通字(2004)66号文),公安部、国家保密局、国家密码管理委员会和国信办联合颁布.
[5]计算机信息系统安全保护等级划分准则.(GBl7859-1999)
[6]ITSEC-Information Technology Security Evaluation Criteria* vl.2,1991.
[7]CC-Common Criteria for Information Technology Security Evaluation, v2.1,1999.
[8]Information technology-Code of practice for information security management,ISO17799,v1.0,2000.
[9]Guidelines for the Management of IT Security, partl-5, ISO13335,1996-2000.
[10]NIST-SP800系列,http://csrc.nist.gov/publications/nistpubs/.
[11]Information Assurance Technology Framework. v3.0,2002, www.iatf.net.
[12]沈昌祥编著.信息安全工程导论.2003年7月第一版.电子工业出版社.
[13]孙强,左天祖,刘伟等编译.IT服务管理.2004年1月,第一版,北京:机械工业出版社.
[14]Jan van Bon主编.章斌翻译.孙强主审.IT服务管理:基于ITIL?的全球最佳实践.清华大学出版社,2006.
[15]ITIL IT service supportOGC 2003 v2.0.
[16]ITIL IT service delivery OGC 2003 v2.0.
[17]ITIL application management OGC 2002 v2.0.
[18]ITIL ICT Infrastructure management OGC 2002 v2.0.
[19]ITIL Service strategy OGC 2007 v3.0.
[20]ITIL Service design OGC 2007 v3.0.
[21]McDermott J. Attack Net Penetration Testing[A],Proceedings:2000 New Security Paradigms Workshop (NSPW 00), Cork, Ireland,2000,15-21.
[22]Dacier M, Deswarte Y, Ka-aniche M. Quantitative Assessment of Operational Security: Models and Tools[R]. Laboratory for Analysis and Architecture of Systems, National Center for Scientific Research (LAAS-CNRS),1996.
[23]Kwok L.F. information Security Management and Model-ing[J]Information Management and Computer Security,1999,7(1):30-39.
[24]Parker D· Why the Due Care Security Review Method is Superior to Risk Assessment [J]·CSlALERTNewsletter,2000:212.
[25]ACSA and MITRE Corp. Information System Security Attribution Quantification or Ordering. In Proceedings of Workshop on Information System Security Scoring and Ranking.2001.5.
[26]关键系统工程生命周期的安全风险分析技术研究项目报告.中国信息安全产品测评认证.中心和北大软件与微电子学院,2009.1.
[27]http://www.grammssl.co.uk.
[28]http://coras.sourceforge.net/online_documentation.html.
[29]OCTAVE Method Implementation Guide v2.0, Alberts, Christopher J, and Dorofee, Audrey JCarnegie Mellon University,2001.
[30]Jun Han, Yuliang Zheng. Security Characterisation and Integrity Assurance for Software. Components and Component-Based Systems. In Proceedings of 1998 Australasian Workshop on Software Architectures, Melbourne,1998.83-89.
[31]D. McCullough, A Hookup Theorem for Multilevel Security, IEEE Trans., Software Eng., vol. SE-16,no.6, June 1990.
[32]D.M. Johnson, F.J. Thayer, Security and the Composition of Machines, in Proceedings of The Computer Security Foundations Workshop,1988.
[33]J.K. Millen, Hookup Security for Synchronous Machines, Proceedings of The Computer Security Foundations Workshop,1990.
[34]J.A. McDermid, Qi Shi. Secure Composition of Systems. In:Proceedings of the Eighth Annual Computer Security Applications Conference, IEEE Computer Society Press,1992. 112-122.
[35]R. K. McAllister, J. L. Coyle. Interdependency Analysis. In Proceedings of 22nd NIST-NCSC National Information Systems Security Conference,1999.403~414.
[36]段云所,王声远.信息系统安全保护等级评估的实践与完善.网络安全技术与应用,2003年12期.
[37]阎强.信息系统安全评估研究[博士论文].北京大学,2003.
[38]Yong-Sang Shim. Developing a Probabilistic Security Measure Using a Software Reliability Model. Dissertation of PhD. of Wyoming University. August 2001.
[39]Rodolphe Ortalo, Yves Deswarte, Mohamed Kaaniche. Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security. IEEE Transactions on Software Engineering,1999, (25) 5:633-650.
[40]Bradley J. Wood, Julie F. Bouchard. Red Team Work Factor as a Security Measurement. A Position Paper Submitted to the First Workshop on Information-Security Rating and Ranking. March 2001.
[41]B. Littlewood, S. Brocklehurst and etc. Towards Operational Measures of Computer Security. Journal of Computer Security,1993, (2):211-229.
[42]萧海东.网络安全态势评估与趋势感知的分析研究[博士论文].上海交通大学,2007.
[43]信息安全技术信息安全风险评估规范.GB/T 20984-2007.
[44]张永铮.计算机安全弱点及其对应关键技术研究[博士论文].哈尔滨工业大学,2006.
[45]姚淑萍.攻防对抗环境下的网络安全态势评估技术研究.北京理工大学计算机网络攻防对抗技术实验室,北京100081科技导报2007年第25卷第7期(总第229期).
[46]王廷博,徐世超.基于层次分析法的网络安全态势评估方法研究.军械工程学院,电脑知识与技术, Vol.4,No.5,November 2008,pp.1079-1081.
[47]王慧强,赖积保,朱亮,梁颖网络态势感知系统研究综述.计算机科学,2006,Vol(133)p:5-7.
[48]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报,vol17(4)p:885-887.
[49]张义荣,鲜明,赵志超,肖顺平,王国玉.计算机网络攻击效果评估技术研究.国防科技大学学报,2002,(05).
[50]李雄伟,于明,杨义先,周希元Fuzzy-AHP法在网络攻击效果评估中的应用.北京邮电大学学报,2006,(01).
[51]刘进,王永杰,张义荣,鲜明,肖顺平.层次分析法在网络攻击效果评估中的应用.计算机应用研究,2005,(03).
[52]汪生,孙乐昌.网络攻击效果评估系统的研究与实现——基于指标体系.计算机工程与应用,2005,(34).
[53]张义荣,鲜明,王国玉.一种基于网络熵的计算机网络攻击效果定量评估方法.通信学报,2004,(11).
[54]李雄伟.基于性能分析的网络攻击效果评估方法研究.电子对抗技术,2005,(03).
[55]王会梅,王永杰.鲜明.基于移动agent的网络攻击效果评估数据采集.计算机工程,2007,(14).
[56]张立忠.网络攻击效果评估技术.中国金融电脑,2007,(04).
[57]王会梅,王永杰,张义荣,鲜明.粗糙集理论在网络攻击效果评估中的应用研究.计算机应用研究,2007,(06).
[58]李博章,李忠强,杨云升,张英杰,王磊.网络攻击效果评估方法研究.舰船电子工程,2007,(03).
[59]李雄伟,周希元,杨义先.基于层次分析法的网络攻击效果评估方法研究.计算机工程与应用,2005,(24).
[60]应力.一种基于业务信息流的多目标信息系统安全评估方法.计算机应用与软件,2004年05期.
[61]李涛.计算机免疫学.水利电力出版社,2004.7.
[62]吴鲁加.国内网络安全风险评估市场与技术操作http://www.antpower.org/.
[63][WISSSR01] ACSA and MITRE Corp. Information System Security Attribution Quantification or Ordering. In:Proceedings of Workshop on Information System Security Scoring and Ranking. May 2001.
[64]蒋志清.企业业务流程设计与管理.电子工业出版社,2004.
[65]吴朝晖,袁潜龙编著.弹性业务流程重组技术.电子工业出版社,2002.1.
[66]马谦杰,于本海编著.信息资源评价理论与方法.经济科学出版社,2002.11.
[67]马费成,靖继鹏主编.信息经济分析.科学技术文献出版社,2005.3.
[68]郝晓玲,孙强著.信息化绩效评价:框架、实施与案例分析.清华大学出版社,2005.7.
[69]卢向华著.信息系统价值管理.经济管理出版社,2005.7.
[70]杨宏旭.信息技术与企业流程再造.中国社会科学出版社,2004.4.
[7l]王声远.信息安全新技术专题.北京大学软件与微电子学院课程讲义.
[72]詹奎斯(美)(Jaquith,A.)安全度量一量化、分析与确定企业信息安全效能.电子工业出版社.2007.12.
[73]管理学基本教程.
[74]孙强,陈伟,王东红著.信息安全管理一一全球最佳实务与实施指南.清华大学出版,2004,10.
[75]张加礼,杨宇杰.把握战斗力要素内涵.中国国防报,2002.4.
[76]怎样才能做好IT资产管理,http://network.51 cto.com/art/200907/134331.htm.
[77]瓦茨,陈禹小小世界:有序与无序之间的网络动力学.人民大学出版社,2006.1.
[78]Hammer, M.(1990), "Reengineering works:don't automate, obliterate"[J], Harvard Business Review, Vol.68 No.4.
[79]Wil van der Aalst and Kees van Hee, WorkFlow Management-Models, Methods, and Systems[M]. The MIT Press,2002.
[80]Arbib, Michael A. (1969). Theories of Abstract Automata (1st ed.)[M]. Englewood Cliffs, N.J.; Prentice-Hall, Inc.
[81]Ravi Anupini, Sunil Choprs, Sudhakar D.Deshmukh. Managing Business Process Flows[M]. Prentice-Hall, Inc.1999.
[82]赵冬梅.信息安全风险评估量化方法研究[博士论文].西安电子科技大学,2007.
[83]肖龙.信息系统风险分析与量化评估[博士论文].四川大学,2006.
[84]赵文.信息安全保障度量及综合评价研究[博士论文].四川大学,2006.
[85]程建华.信息安全风险管理、评估与控制研究[博士论文].吉林大学,2008.
[86]陈光.信息系统信息安全风险管理方法研究[博士论文].国防科技大学,2006.
[87]胡勇.网络信息系统风险评估方法研究[博士论文].四川大学,2007年.
[88]刘芳.信息系统安全评估理论及其关键技术研究[博士论文].国防科技大学,2005.
[89]邹芳.信息系统安全等级测评方法研究[硕士论文].国防科技大学,2005.
[90]谷勇浩.信息系统风险管理理论及关键技术研究[博士论文].北京邮电大学,2007.
[91]徐晓琴.基于图论的网络脆弱性评估系统的研究与实现[硕士论文].东南大学,2006.
[92]苘大鹏.基于图论的网络网络安全评估系统的设计与实现[硕士论文].哈尔滨工程大学,2006.
[93]苘大鹏网络系统安全系评估技术研究[博士论文].哈尔滨工程大学,2009.
[94]杨洁.基于业务流程的层次化信息安全风险评估方法研究[硕士论文].重庆大学,2005.
[95]李斌,王声远等.基于业务流程状态分析的风险评估研究.清华大学学报录用,2009.11.
[96]Sandhu R S, Conyne E J, Lfeinstein H, Youman C E. Role based access control models. IEEE Computer,1996,29(2):38-47.
[97]Thomas R K, Sandhu R S. Toward a task-based paradigm for flexible and adaptable access control in distributed application. In:Proc of 1992-1993 ACM SIGSAC New Security Paradigms Workshops[C], NY:[s. n],1993.138-142.
[98]邓集波,洪帆.基于任务的访问控制模型.软件学报,2003.
[99]沈海波,洪帆.访问控制模型研究综述.计算机应用研究,2005.
[100]李锐,甄田甜.SOA业务流程安全研究.合肥工作大学学报(自然科学版),2009.
[101]程渤,浮花玲等.基于工作流任务实例变迁的动态访问控制模型.电力系统自动化,2005.
[102]胡程瑜,李大兴.带时间约束和角色控制的工作流系统授权模型.山东大学学报(工学版),2006.
[103]Ravi Anupindi, Sunil Chopa等著.梅绍祖,蒋梨利译.企业流程管理.清华大学出版社,2003.
[104]舒康,梁镇韩.AHP中的指数标度法.系统工程理论与实践,1990,10(1).5-8.
[105]Zadeh,L.A., Fuzzy sets, Information Control,1965,Vol.8, No.3, P338-353.
[106]王立新.自适应模糊系统与控制,国防工业出版社,1995.
[107]王声远.不确定非完整动力学系统模糊控制研究[博士论文].北京航空航天大学文,2000.
[108]http://www.cve.mitre.org/.
[2]Control Objectives for Information and related Technology (COBIT,即信息系统和技术控制目标,美国信息系统审计与控制协会(ISACA),vol.4.1,2007.5.
[3]TCSEC-Trusted Computer System Evaluation Criteria, DoD,1983.
[4]关于信息安全等级保护工作的实施意见.(公通字(2004)66号文),公安部、国家保密局、国家密码管理委员会和国信办联合颁布.
[5]计算机信息系统安全保护等级划分准则.(GBl7859-1999)
[6]ITSEC-Information Technology Security Evaluation Criteria* vl.2,1991.
[7]CC-Common Criteria for Information Technology Security Evaluation, v2.1,1999.
[8]Information technology-Code of practice for information security management,ISO17799,v1.0,2000.
[9]Guidelines for the Management of IT Security, partl-5, ISO13335,1996-2000.
[10]NIST-SP800系列,http://csrc.nist.gov/publications/nistpubs/.
[11]Information Assurance Technology Framework. v3.0,2002, www.iatf.net.
[12]沈昌祥编著.信息安全工程导论.2003年7月第一版.电子工业出版社.
[13]孙强,左天祖,刘伟等编译.IT服务管理.2004年1月,第一版,北京:机械工业出版社.
[14]Jan van Bon主编.章斌翻译.孙强主审.IT服务管理:基于ITIL?的全球最佳实践.清华大学出版社,2006.
[15]ITIL IT service supportOGC 2003 v2.0.
[16]ITIL IT service delivery OGC 2003 v2.0.
[17]ITIL application management OGC 2002 v2.0.
[18]ITIL ICT Infrastructure management OGC 2002 v2.0.
[19]ITIL Service strategy OGC 2007 v3.0.
[20]ITIL Service design OGC 2007 v3.0.
[21]McDermott J. Attack Net Penetration Testing[A],Proceedings:2000 New Security Paradigms Workshop (NSPW 00), Cork, Ireland,2000,15-21.
[22]Dacier M, Deswarte Y, Ka-aniche M. Quantitative Assessment of Operational Security: Models and Tools[R]. Laboratory for Analysis and Architecture of Systems, National Center for Scientific Research (LAAS-CNRS),1996.
[23]Kwok L.F. information Security Management and Model-ing[J]Information Management and Computer Security,1999,7(1):30-39.
[24]Parker D· Why the Due Care Security Review Method is Superior to Risk Assessment [J]·CSlALERTNewsletter,2000:212.
[25]ACSA and MITRE Corp. Information System Security Attribution Quantification or Ordering. In Proceedings of Workshop on Information System Security Scoring and Ranking.2001.5.
[26]关键系统工程生命周期的安全风险分析技术研究项目报告.中国信息安全产品测评认证.中心和北大软件与微电子学院,2009.1.
[27]http://www.grammssl.co.uk.
[28]http://coras.sourceforge.net/online_documentation.html.
[29]OCTAVE Method Implementation Guide v2.0, Alberts, Christopher J, and Dorofee, Audrey JCarnegie Mellon University,2001.
[30]Jun Han, Yuliang Zheng. Security Characterisation and Integrity Assurance for Software. Components and Component-Based Systems. In Proceedings of 1998 Australasian Workshop on Software Architectures, Melbourne,1998.83-89.
[31]D. McCullough, A Hookup Theorem for Multilevel Security, IEEE Trans., Software Eng., vol. SE-16,no.6, June 1990.
[32]D.M. Johnson, F.J. Thayer, Security and the Composition of Machines, in Proceedings of The Computer Security Foundations Workshop,1988.
[33]J.K. Millen, Hookup Security for Synchronous Machines, Proceedings of The Computer Security Foundations Workshop,1990.
[34]J.A. McDermid, Qi Shi. Secure Composition of Systems. In:Proceedings of the Eighth Annual Computer Security Applications Conference, IEEE Computer Society Press,1992. 112-122.
[35]R. K. McAllister, J. L. Coyle. Interdependency Analysis. In Proceedings of 22nd NIST-NCSC National Information Systems Security Conference,1999.403~414.
[36]段云所,王声远.信息系统安全保护等级评估的实践与完善.网络安全技术与应用,2003年12期.
[37]阎强.信息系统安全评估研究[博士论文].北京大学,2003.
[38]Yong-Sang Shim. Developing a Probabilistic Security Measure Using a Software Reliability Model. Dissertation of PhD. of Wyoming University. August 2001.
[39]Rodolphe Ortalo, Yves Deswarte, Mohamed Kaaniche. Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security. IEEE Transactions on Software Engineering,1999, (25) 5:633-650.
[40]Bradley J. Wood, Julie F. Bouchard. Red Team Work Factor as a Security Measurement. A Position Paper Submitted to the First Workshop on Information-Security Rating and Ranking. March 2001.
[41]B. Littlewood, S. Brocklehurst and etc. Towards Operational Measures of Computer Security. Journal of Computer Security,1993, (2):211-229.
[42]萧海东.网络安全态势评估与趋势感知的分析研究[博士论文].上海交通大学,2007.
[43]信息安全技术信息安全风险评估规范.GB/T 20984-2007.
[44]张永铮.计算机安全弱点及其对应关键技术研究[博士论文].哈尔滨工业大学,2006.
[45]姚淑萍.攻防对抗环境下的网络安全态势评估技术研究.北京理工大学计算机网络攻防对抗技术实验室,北京100081科技导报2007年第25卷第7期(总第229期).
[46]王廷博,徐世超.基于层次分析法的网络安全态势评估方法研究.军械工程学院,电脑知识与技术, Vol.4,No.5,November 2008,pp.1079-1081.
[47]王慧强,赖积保,朱亮,梁颖网络态势感知系统研究综述.计算机科学,2006,Vol(133)p:5-7.
[48]陈秀真,郑庆华,管晓宏,林晨光.层次化网络安全威胁态势量化评估方法.软件学报,vol17(4)p:885-887.
[49]张义荣,鲜明,赵志超,肖顺平,王国玉.计算机网络攻击效果评估技术研究.国防科技大学学报,2002,(05).
[50]李雄伟,于明,杨义先,周希元Fuzzy-AHP法在网络攻击效果评估中的应用.北京邮电大学学报,2006,(01).
[51]刘进,王永杰,张义荣,鲜明,肖顺平.层次分析法在网络攻击效果评估中的应用.计算机应用研究,2005,(03).
[52]汪生,孙乐昌.网络攻击效果评估系统的研究与实现——基于指标体系.计算机工程与应用,2005,(34).
[53]张义荣,鲜明,王国玉.一种基于网络熵的计算机网络攻击效果定量评估方法.通信学报,2004,(11).
[54]李雄伟.基于性能分析的网络攻击效果评估方法研究.电子对抗技术,2005,(03).
[55]王会梅,王永杰.鲜明.基于移动agent的网络攻击效果评估数据采集.计算机工程,2007,(14).
[56]张立忠.网络攻击效果评估技术.中国金融电脑,2007,(04).
[57]王会梅,王永杰,张义荣,鲜明.粗糙集理论在网络攻击效果评估中的应用研究.计算机应用研究,2007,(06).
[58]李博章,李忠强,杨云升,张英杰,王磊.网络攻击效果评估方法研究.舰船电子工程,2007,(03).
[59]李雄伟,周希元,杨义先.基于层次分析法的网络攻击效果评估方法研究.计算机工程与应用,2005,(24).
[60]应力.一种基于业务信息流的多目标信息系统安全评估方法.计算机应用与软件,2004年05期.
[61]李涛.计算机免疫学.水利电力出版社,2004.7.
[62]吴鲁加.国内网络安全风险评估市场与技术操作http://www.antpower.org/.
[63][WISSSR01] ACSA and MITRE Corp. Information System Security Attribution Quantification or Ordering. In:Proceedings of Workshop on Information System Security Scoring and Ranking. May 2001.
[64]蒋志清.企业业务流程设计与管理.电子工业出版社,2004.
[65]吴朝晖,袁潜龙编著.弹性业务流程重组技术.电子工业出版社,2002.1.
[66]马谦杰,于本海编著.信息资源评价理论与方法.经济科学出版社,2002.11.
[67]马费成,靖继鹏主编.信息经济分析.科学技术文献出版社,2005.3.
[68]郝晓玲,孙强著.信息化绩效评价:框架、实施与案例分析.清华大学出版社,2005.7.
[69]卢向华著.信息系统价值管理.经济管理出版社,2005.7.
[70]杨宏旭.信息技术与企业流程再造.中国社会科学出版社,2004.4.
[7l]王声远.信息安全新技术专题.北京大学软件与微电子学院课程讲义.
[72]詹奎斯(美)(Jaquith,A.)安全度量一量化、分析与确定企业信息安全效能.电子工业出版社.2007.12.
[73]管理学基本教程.
[74]孙强,陈伟,王东红著.信息安全管理一一全球最佳实务与实施指南.清华大学出版,2004,10.
[75]张加礼,杨宇杰.把握战斗力要素内涵.中国国防报,2002.4.
[76]怎样才能做好IT资产管理,http://network.51 cto.com/art/200907/134331.htm.
[77]瓦茨,陈禹小小世界:有序与无序之间的网络动力学.人民大学出版社,2006.1.
[78]Hammer, M.(1990), "Reengineering works:don't automate, obliterate"[J], Harvard Business Review, Vol.68 No.4.
[79]Wil van der Aalst and Kees van Hee, WorkFlow Management-Models, Methods, and Systems[M]. The MIT Press,2002.
[80]Arbib, Michael A. (1969). Theories of Abstract Automata (1st ed.)[M]. Englewood Cliffs, N.J.; Prentice-Hall, Inc.
[81]Ravi Anupini, Sunil Choprs, Sudhakar D.Deshmukh. Managing Business Process Flows[M]. Prentice-Hall, Inc.1999.
[82]赵冬梅.信息安全风险评估量化方法研究[博士论文].西安电子科技大学,2007.
[83]肖龙.信息系统风险分析与量化评估[博士论文].四川大学,2006.
[84]赵文.信息安全保障度量及综合评价研究[博士论文].四川大学,2006.
[85]程建华.信息安全风险管理、评估与控制研究[博士论文].吉林大学,2008.
[86]陈光.信息系统信息安全风险管理方法研究[博士论文].国防科技大学,2006.
[87]胡勇.网络信息系统风险评估方法研究[博士论文].四川大学,2007年.
[88]刘芳.信息系统安全评估理论及其关键技术研究[博士论文].国防科技大学,2005.
[89]邹芳.信息系统安全等级测评方法研究[硕士论文].国防科技大学,2005.
[90]谷勇浩.信息系统风险管理理论及关键技术研究[博士论文].北京邮电大学,2007.
[91]徐晓琴.基于图论的网络脆弱性评估系统的研究与实现[硕士论文].东南大学,2006.
[92]苘大鹏.基于图论的网络网络安全评估系统的设计与实现[硕士论文].哈尔滨工程大学,2006.
[93]苘大鹏网络系统安全系评估技术研究[博士论文].哈尔滨工程大学,2009.
[94]杨洁.基于业务流程的层次化信息安全风险评估方法研究[硕士论文].重庆大学,2005.
[95]李斌,王声远等.基于业务流程状态分析的风险评估研究.清华大学学报录用,2009.11.
[96]Sandhu R S, Conyne E J, Lfeinstein H, Youman C E. Role based access control models. IEEE Computer,1996,29(2):38-47.
[97]Thomas R K, Sandhu R S. Toward a task-based paradigm for flexible and adaptable access control in distributed application. In:Proc of 1992-1993 ACM SIGSAC New Security Paradigms Workshops[C], NY:[s. n],1993.138-142.
[98]邓集波,洪帆.基于任务的访问控制模型.软件学报,2003.
[99]沈海波,洪帆.访问控制模型研究综述.计算机应用研究,2005.
[100]李锐,甄田甜.SOA业务流程安全研究.合肥工作大学学报(自然科学版),2009.
[101]程渤,浮花玲等.基于工作流任务实例变迁的动态访问控制模型.电力系统自动化,2005.
[102]胡程瑜,李大兴.带时间约束和角色控制的工作流系统授权模型.山东大学学报(工学版),2006.
[103]Ravi Anupindi, Sunil Chopa等著.梅绍祖,蒋梨利译.企业流程管理.清华大学出版社,2003.
[104]舒康,梁镇韩.AHP中的指数标度法.系统工程理论与实践,1990,10(1).5-8.
[105]Zadeh,L.A., Fuzzy sets, Information Control,1965,Vol.8, No.3, P338-353.
[106]王立新.自适应模糊系统与控制,国防工业出版社,1995.
[107]王声远.不确定非完整动力学系统模糊控制研究[博士论文].北京航空航天大学文,2000.
[108]http://www.cve.mitre.org/.