Information system security risk assessment method and device

Abstract

The invention discloses an information system security risk assessment method. The method includes the steps of constructing a threatening behavior model bank, matching calling behaviors recorded in an information system with threatening behaviors in the threatening behavior model bank to obtain decision values of the matched calling behaviors, determining weighted values of the threatening behaviors according to the decision values of the matched calling behaviors, and enabling the weighted values of the threatening behaviors to be combined with a vulnerability weighted value and a remedial measure weighted value to obtain a risk grade. The invention further discloses an information system security risk assessment device. Through the scheme of the information system security risk assessment method and device, security risks of the information system can be measured in multi-dimensional mode, the defects of existing risk evaluation quantification are greatly made up for, the accuracy and credibility of threat evaluation are improved, and the core problem of risk quantification of the information system can be solved; consequently, users can conveniently and objectively know the condition of running risks of the information system, and the risks of the information system can be perceived.

Description

technical field [0001] The present invention relates to information security technology, in particular to a method and device for information system security risk assessment. Background technique [0002] With the rapid development of IT technology, the development of the entire national economy is inseparable from the operation and support of information systems. How to ensure the safe operation of these information systems has become a top priority; according to the requirements of the "2006-2020 National Informatization Development Strategy", Comprehensively strengthening the construction of the national information security guarantee system requires all organizations to adhere to active defense and comprehensive prevention, explore and grasp the inherent laws of informatization and information security, and actively respond to information security challenges. [0003] In order to realize the initiative of information security, the key is to solve how to evaluate the info...

AI Technical Summary

Problems solved by technology

[0006] 1. The evaluation index either relies on a single factor or is too complex to reflect the real risk situation; from the perspective of threats, it can reflect the real situation of external attacks. However, due to the large number of external threats and complex sources, there are new types of attacks, There are also very old attacks, and the applicability of the attacks needs to be accurately screened, so the evaluation of the risk status is generally high, which is not conducive to the development of threat handling and remedial measures; from the perspective of vulnerability, it can truly reflect the loopholes of the information system However, since the vulnerability is static, threats and attacks are required to form a risk, so the evaluation of the risk situation is often distorted, which is not conducive to investing effective resources in risk control, and the cost is too high; from threats, vulnerabilities A comprehensive evaluation with asset value can reflect the level of risk status, but since this comprehensive evaluation involves a three-dimensional system, and the three factors are many-to-many, the mapping relationship and calculation are extremely complicated, so it is difficult to achieve in actual use

[0007] 2. The current evaluation system often only focuses on risk threats, vulnerability and asset value, but often ignores the very important link of remedial measures, which is actually an important factor in risk control

Images