跳到主要內容

臺灣博碩士論文加值系統

(18.97.9.171) 您好!臺灣時間:2024/12/09 11:13
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:陳婉佳
研究生(外文):Chen, Wan-Jia
論文名稱:考量控制措施間相互影響性之資訊安全風險評鑑
論文名稱(外文):Information Security Risk Assessment Considering Interdependences between Controls
指導教授:羅濟群羅濟群引用關係
指導教授(外文):Lo, Chi-Chun
學位類別:博士
校院名稱:國立交通大學
系所名稱:資訊管理研究所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2012
畢業學年度:100
語文別:英文
論文頁數:81
中文關鍵詞:資訊安全風險評鑑決策實驗室分析法分析網路程序法有序加權平均運算模糊語意量子熵值最大化法
外文關鍵詞:Information securityRisk assessmentDecision Making Trial and Evaluation LaboratoryAnalytic network processOrder weighted averaging operatorFuzzy linguistic quantifiersMaximum entropy method
相關次數:
  • 被引用被引用:0
  • 點閱點閱:344
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:1
風險評鑑是資訊安全風險管理中相當重要的過程。組織透過風險評鑑決定出組織資訊系統中的風險,並提供充足的方法來降低這些風險。在實務上,實施在組織的資訊系統上的各個資訊安全控制項目並非是完全獨立的,因此在評估各項目的風險時應該要考量它們之間可能存在的相關性或互相影響。本論文提出一個考量控制措施間相互影響性的混合風險評鑑方法來評估組織資訊系統的風險等級。首先,本研究以決策實驗室 (Decision Making Trial and Evaluation Laboratory, DEMATEL) 分析法來建構出各控制措施類別之間的相互影響性。接著以決策實驗室分析法所建構出的各類別間相互影響的結果做為分析網路程序法(Analytic Network Process, ANP)的分析架構,再決定出風險發生的機率性,藉此本研究可以考量各控制措施群之間的相關性和相互影響性以符合實務上的實際狀況。再者,本研究以模糊語意量子引導熵值最大化之整合權值(Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging , FLQ-MEOWA) 運算法來整合各專家所評估的風險影響值,以減少極端值與主觀因素所產生的影響。最後,本研究將所提出的風險評鑑方法應用於X公司的資訊系統來驗證。藉由此研究實例確認本方法可以找出控制措施間相互影響性,所評估出的風險等級能反映控制措施間相互影響的問題,使得出的風險等級能提供參考作為決定出哪些資訊系統需要更進一步提升其資訊安全防護。
Risk assessment is an important key step of the core process for information security risk management. Organizations use risk assessment to determine the risks within information systems and provide sufficient means to reduce the identified risks. In practical application, security controls applied to the information system areas are not completely independent, therefore during the process of risk assessment it is crucial to consider the interdependences among control families. In this thesis, a hybrid procedure for evaluating and identifying risk levels of information system security while considering interdependences amongst control families is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) method to construct interrelations amongst security control areas. Secondly, using the results from DEMATEL, the Analytic Network Process (ANP) method is used to obtain the likelihood ratings of risks; as a result, the proposed procedure can detect interdependences and feedback between security control families as well as identify priorities of areas requiring security measures in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic opinions. An application in company X was examined to verify the proposed procedure. After analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas as well as identifies information systems with higher risk levels where prioritized safeguard tactics should be considered.
CHAPTER 1 Introduction 1
CHAPTER 2 Literature review 4
2.1 Risk assessment methodologies 4
2.2 Security controls 6
2.3 The DEMATEL method 16
2.3.1 The process of the DEMATEL method 16
2.3.2 The illustration example of DEMATEL 20
2.4 The ANP method 23
2.4.1 The process of the ANP method 25
2.4.2 The illustration example of ANP 28
2.5 The FLQ-MEOWA operator 30
2.5.1 The process of the FLQ-MEOWA operator 31
2.5.2 The illustration example of FLQ-MEOWA operator 36
CHAPTER 3 A hybrid information security risk assessment procedure 38
3.1 Risk assessment criteria 38
3.2 Risk assessment procedure 39
3.3 Building network relevance systems between security control areas using the DEMATEL method 42
3.4 Deriving the likelihood of risk associated with security control families using the ANP method 43
3.5 Aggregating impact values using the FLQ-MEOWA operator 45
3.6 Risk determination 46
CHAPTER 4 Risk assessment of information systems in Company X 47
4.1 The selection of evaluating experts and information systems 47
4.2 Constructing network relevance and structure of security control areas 49
4.3 Deriving the likelihood of risks associated with security control families 51
4.4 Impact analysis 57
4.5 Deriving risk levels 60
CHAPTER 5 Discussion and limitations 61
5.1 Discussion 61
5.1.1 The interdependency and influence between security control areas 61
5.1.2 The identification of risks in information systems 67
5.2 Limitations 72
CHAPTER 6 Conclusions and future works 74
References 77
[1] Alberts, C. J., Dorofee, A., Managing Information Security Risks: The OCTAVE Approach, 22, Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2002
[2] Blakley, B., et al., "Information security is information risk management", Proceedings of the 2001 workshop on New security paradigms, Cloudcroft, New Mexico, 2001
[3] Boltz, J., et al., "Information security risk assessment-practices of leading organizations", GAO/AIMD-00-33, US Washington, DC: GAO (United States General Accounting Office)-Accounting and Information Management Division, 1999
[4] C&A Systems Security Limited, Consultative, Objective and Bi-functional Risk Analysis: COBRA Tools, ISO/IEC 17799 Compliance and Security Risk Analysis Approach, 2005, from http://www.security-risk-analysis.com/
[5] Carroll, J. M., "Decision support for risk analysis", Computers & Security, 2, 3, pp. 230-236, 1983
[6] Chang, S.-L., et al., "Applying fuzzy linguistic quantifier to select supply chain partners at different phases of product life cycle", International Journal of Production Economics, 100, 2, pp. 348-359, 2006
[7] Chiu, Y., et al., "Marketing strategy based on customer behaviour for the LCD-TV", International Journal of Management and Decision Making, 7, 2, pp. 143-165, 2006
[8] Filev, D., Yager, R. R., "Analytic properties of maximum entropy OWA operators", Information Sciences, 85, 1-3, pp. 11-27, 1995
[9] Filev, D., Yager, R. R., "On the issue of obtaining OWA operator weights", Fuzzy Sets and Systems, 94, 2, pp. 157-169, 1998
[10] FIPS, "Federal Information Processing Standards publications 200 Minimum Security Requirements for Federal Information and Information Systems", 2006
[11] Fontela, E., Gabus, A., The DEMATEL observer, DEMATEL 1976 report, 95, Battelle Geneva Research Center, Switzerland, Geneva, 1976
[12] Gabus, A., Fontela, E., World problems, an invitation to further thought within the framework of DEMATEL, 93, Battelle Geneva Research Center, Switzerland Geneva, 1972
[13] Gabus, A., Fontela, E., Perceptions of the world problematique: Communication procedure, communicating with those bearing collective responsibility (DEMATEL report), 1, 94, Battelle Geneva Research Centre, Switzerland Geneva, 1973
[14] Herrera, F., et al., "A sequential selection process in group decision making with a linguistic assessment approach", Information sciences, 85, 4, pp. 223-239, 1995
[15] Herrera, F., et al., "Direct approach processes in group decision making using linguistic OWA operators", Fuzzy Sets and Systems, 79, 2, pp. 175-190, 1996
[16] Hori, S., Shimizu, Y., "Designing methods of human interface for supervisory control systems", Control Engineering Practice, 7, 11, pp. 1413-1419, 1999
[17] Huang, C. Y., et al., "Reconfiguring the innovation policy portfolios for Taiwan's SIP Mall industry", Technovation, 27, 12, pp. 744-765, 2007
[18] Huang, J. J., et al., "Multidimensional data in multidimensional scaling using the analytic network process", Pattern Recognition Letters, 26, 6, pp. 755-767, 2005
[19] In, H. P., et al., "A Security Risk Analysis Model for Information Systems", pp. 505-513, 2005
[20] ISO/IEC, "ISO 27001:2005 Information technology -- Security techniques -- Information security management systems -- Requirements", 2005
[21] Jacobson, R. V., "CORA Cost-of-Risk Analysis", Painless Risk Management for Small Systems. International Security Technology, Inc., 96, 1996
[22] Kacprzyk, J., "Group decision making with a fuzzy linguistic majority", Fuzzy Sets and Systems, 18, 2, pp. 105-118, 1986
[23] Karabacak, B., Sogukpinar, I., "ISRAM: information security risk analysis method", Computers & Security, 24, 2, pp. 147-159, 2005
[24] Karsak, E. E., et al., "Product planning in quality function deployment using a combined analytic network process and goal programming approach", Computers & industrial engineering, 44, 1, pp. 171-190, 2003
[25] Lee, J. W., Kim, S. H., "Using analytic network process and goal programming for interdependent information system project selection", Computers and Operations Research, 27, 4, pp. 367-382, 2000
[26] Lin, Y.-H., et al., "The study of applying ANP model to assess dispatching rules for wafer fabrication", Expert Systems with Applications, 34, 3, pp. 2148-2163, 2008
[27] Liou, J. J. H., et al., "Airline safety measurement using a hybrid model", Journal of Air Transport Management, 13, 4, pp. 243-249, 2007
[28] Liu, F., et al., "Research on Fuzzy Group Decision Making in Security Risk Assessment", pp. 1114-1121, 2005
[29] Meade, L. M., Presley, A., "R&D project selection using the analytic network process", Engineering Management, IEEE Transactions on, 49, 1, pp. 59-66, 2002
[30] O'Hagan, M., "Aggregating template rule antecedents in real-time expert systems with fuzzy set logic", the 22nd Annual IEEE Asilomar Conference on Signals, Systems and Computers, pp. 681-689, 1988
[31] O’Hagan, M., "Using maximum entropy-ordered weighted averaging to construct a fuzzy neuron", pp. 618–623, 1990
[32] Peltier, T. R., Information Security Risk Analysis, 12, Auerbach Pub, 2005
[33] Richardson, R., CSI Computer Crime and Security survey, 2007, from http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf
[34] Richardson, R., CSI Computer Crime and Security survey, 2008, from http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
[35] Ross, R., et al., "Recommended Security Controls for Federal Information Systems(Special Publication 800-53 Revision 2)", 2007
[36] Saaty, R., Saaty, T., "Decision making in complex environment: the analytic hierarchy process (AHP) for decision making and the analytic network process (ANP) for decision making with dependence and feedback", Pittsburgh, PA: Creative Decisions Foundation, 2003
[37] Saaty, T. L., "The analytic hierarchy process", 1980
[38] Saaty, T. L., Decision making with dependence and feedback: the analytic network process., 68, RWS Publications Pittsburgh, PA, 1996
[39] Saaty, T. L., Theory and Applications of analytic network process, 102, RWS publications Pittsburgh, PA, 2005
[40] Seyed-Hosseini, S. M., et al., "Reprioritization of failures in a system failure mode and effects analysis by decision making trial and evaluation laboratory technique", Reliability Engineering & System Safety, 91, 8, pp. 872-881, 2006
[41] Shang, J. S., et al., "A Unified framework for multicriteria evaluation of transportation projects", IEEE Transactions on Engineering Management, 51, 3, pp. 300-313, 2004
[42] Stolen, K., et al., Model-based risk assessment–the CORAS approach, 2002, from http://www.nik.no/2002/Stolen.pdf
[43] Stoneburner, G., et al., Risk Management Guide for Information Technology Systems, 11, National Institute of Standards and Technology, 2002
[44] Suh, B., Han, I., "The IS risk analysis based on a business model", Information and Management 41, 2, pp. 149-158, 2003
[45] Tsai, W.-H., Chou, W.-C., "Selecting management systems for sustainable development in SMEs: A novel hybrid model based on DEMATEL, ANP, and ZOGP", Expert Systems with Applications, 36, 2, Part 1, pp. 1444-1458, 2009
[46] Tzeng, G. H., et al., "Evaluating intertwined effects in e-learning programs: A novel hybrid MCDM model based on factor analysis and DEMATEL", Expert Systems with Applications, 32, 4, pp. 1028-1044, 2007
[47] United Kingdom Central Computer and Telecommunications Agency, "CCTA risk analysis and management method, CRAMM user guide", 2001
[48] Wang, P., et al., "A fuzzy outranking approach in risk analysis of web service security", Cluster Computing, 10, 1, pp. 47-55, 2007
[49] Wu, W.-W., "Choosing knowledge management strategies by using a combined ANP and DEMATEL approach", Expert Systems with Applications, 35, 3, pp. 828-835, 2008
[50] Yager, R. R., "On ordered weighted averaging aggregation operators in multicriteria decisionmaking", Systems, Man and Cybernetics, IEEE Transactions on, 18, 1, pp. 183-190, 1988
[51] Yager, R. R., "Families of OWA operators", Fuzzy Sets and Systems, 59, 2, pp. 125-148, 1993
[52] Zadeh, L., "A computational approach to fuzzy quantifiers in natural languages", International series in modern applied mathematics and computer science, 5, pp. 149-184, 1983
[53] 紀岱玲, "供應商績效評估研究-結合ANP及DEMATEL之應用",碩士論文, 2006
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊