(3.210.184.142) 您好!臺灣時間:2021/05/13 16:19
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

: 
twitterline
研究生:李振儀
研究生(外文):Lee, Chenyi
論文名稱:金控公司資訊系統的安全風險衡量
論文名稱(外文):Security Risk Evaluation for Information System of Financial Holdings
指導教授:連志誠連志誠引用關係
指導教授(外文):Lien, Chihcheng
口試委員:吳國清梁德昭
口試委員(外文):Wu, KuochingLiang, Techao
口試日期:2013-01-11
學位類別:碩士
校院名稱:東吳大學
系所名稱:資訊管理學系
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2013
畢業學年度:101
語文別:中文
論文頁數:72
中文關鍵詞:資訊安全風險衡量流程系統曲線適配
外文關鍵詞:Information SecurityRisk EvaluationFlow SystemCurve Fitting
相關次數:
  • 被引用被引用:0
  • 點閱點閱:248
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:35
  • 收藏至我的研究室書目清單書目收藏:0
資訊安全風險管理的目標是為了保護資訊資產的機密性、完整性及可使用性,使其避免受到任何形式的威脅,達到有效防範資訊安全事件的發生,進而確保公司永續經營。資訊安全的風險管理需持續進行,才能了解資訊系統所面臨的威脅及弱點。若以人工的方式將威脅及弱點記錄在表格中,而後進行風險評估的過程將會是耗費人力且
容易出錯。

本文以金控公司為例,根據其公司業務具有跨業性質的特性下,針對資訊系統進行資訊流的分析。將分析的系統資訊流連結性、連結型態、維運紀錄結果作為衡量模型計算的輸入資料。

衡量模型係以供應鏈的物流架構為風險衡量基礎,並參考資訊系統風險衡量的方法所提出來的。風險值是由事件的發生機率乘上該事件的衝擊,而事件的發生機率是依流程系統的節點連接型態(平行流程或序列流程)計算,而衝擊影響在經過曲線適配轉換成為統一的衝擊程度。雛型系統以 MATLAB 程式工具進行模型的實做及實驗。在使用者輸入流程系統的資訊後便可以計算出風險值。

另外藉由改善方案的資料輸入,系統可以在使用者設定的預算費用內,計算出最大效益的投報組合資訊。遇到流程系統改變的情境,如新增系統節點或移除系統節點,此程式可以快速地重新計算新系統的整體風險值。以期快速瞭解流程系統的改變對整體流程的風險值影響程度為何,達到預先估算的能力,提供決策者進行決策的參考。
The goal of information security risk management is to protect the confidentiality, integrity and usability of information assets. It can prevent the occurrences of information security events and then ensure the sustainable development of company. In order to understand the threat and vulnerability that information system may meet, information security risk management should be implemented continuously. If we record the threat and vulnerability in table manually and evaluate the risk, it will be time-consuming and easy to make mistake.

In this paper, take financial holding for example, we analyze the information flow in a information system based on the system with cross-selling characteristics. Then take the analyzed information flow data as the input data of evaluation.

Base on the structure of logistics supply chain and refer to information security risk evaluation, we can evaluate the information flow risk. The risk value is the probability of the event occurrence multiplied the impact of the event. And the probability of the event occurrence is decided by node connection type and structure. The unified impact value is transformed from curve fitting. We use MATLAB to implement the evaluation model and get the risk value by inputting source data.

For enhanced module, we estimate the improved event probability, input them into module and recalculate the risk value. In addition, if the information flow nodes are changed, the risk value also can be recalculated immediately.
誌謝----------------------------------------------------------------------i
摘要----------------------------------------------------------------------ii
英文摘要------------------------------------------------------------------iii
目錄----------------------------------------------------------------------iv
表目錄--------------------------------------------------------------------vii
圖目錄--------------------------------------------------------------------viii
1. 緒論-------------------------------------------------------------------1
2. 文獻探討---------------------------------------------------------------3
2.1 資安風險管理----------------------------------------------------------3
2.1.1 國際標準組織--------------------------------------------------------3
2.1.2 風險衡量效益--------------------------------------------------------4
2.2 風險衡量的方法--------------------------------------------------------5
2.2.1 以統計機率方法進行風險值計算----------------------------------------5
2.2.2 以業務流程為風險計算目標--------------------------------------------6
2.2.3 基於模糊邏輯專家知識模型之風險衡量----------------------------------7
2.3 探討供應鏈結構之風險衡量----------------------------------------------9
2.3.1 以結構衡量供應鏈風險------------------------------------------------9
2.3.2 以模糊方法衡量供應鏈風險--------------------------------------------10
2.4 衝擊的定義------------------------------------------------------------12
2.4.1 衝擊類別說明--------------------------------------------------------12
2.4.2 衝擊程度分析--------------------------------------------------------12
2.5 流程式資訊資產節點說明------------------------------------------------15
2.5.1 資訊流說明----------------------------------------------------------15
2.5.2 資訊資產節點資訊流說明----------------------------------------------15
2.6 事件衝擊值計算--------------------------------------------------------17
2.6.1 指數型數值函式------------------------------------------------------19
2.6.2 曲線適配------------------------------------------------------------19
3. 研究方法---------------------------------------------------------------21
3.1 風險衡量模型之運作架構說明--------------------------------------------21
3.1.1 系統架構------------------------------------------------------------21
3.1.2 工具----------------------------------------------------------------22
3.2 流程系統之資訊安全風險值計算------------------------------------------22
3.2.1 AND 連接方式之序列情形----------------------------------------------22
3.2.2 AND 連接方式之分支情形----------------------------------------------23
3.2.3 AND 連接方式之分支情形,且分支點之後有其他節點----------------------24
3.2.4 OR 連接方式之平行節點-----------------------------------------------25
3.2.5 OR 連接方式之平行節點,且之後有共同節點-----------------------------25
3.3 計算整體流程系統的風險值---------------------------------------------26
3.3.1 各事件風險值--------------------------------------------------------26
3.3.2 各節點風險值--------------------------------------------------------26
3.3.3 整體系統風險值------------------------------------------------------27
3.4 風險資料收集模組及範例說明--------------------------------------------27
3.4.1 系統資訊流之分析----------------------------------------------------27
3.4.2 衝擊事件定義--------------------------------------------------------29
3.4.3 定義事件發生的衝擊數值----------------------------------------------30
3.4.4 定義節點連結性------------------------------------------------------31
3.4.5 定義節點連結型態----------------------------------------------------31
3.4.6 定義事件對節點影響矩陣----------------------------------------------32
3.5 風險衡量模組----------------------------------------------------------32
3.5.1 風險值運算邏輯------------------------------------------------------33
3.5.2 歷史風險圖----------------------------------------------------------34
3.6 風險值呈現及方案選擇模組----------------------------------------------36
3.6.1 績效衡量指標說明----------------------------------------------------36
3.6.2 改善方案選擇--------------------------------------------------------36
4. 實驗與結果-------------------------------------------------------------37
4.1 實驗結果說明----------------------------------------------------------37
4.1.1 系統風險值計算結果--------------------------------------------------37
4.1.1.1 各事件風險值------------------------------------------------------37
4.1.1.2 各節點風險值------------------------------------------------------37
4.1.1.3 整體風險值--------------------------------------------------------37
4.1.2 歷史系統的風險比較--------------------------------------------------38
4.1.3 改善現行系統的風險值------------------------------------------------38
5. 結論及未來研究---------------------------------------------------------42
參考文獻------------------------------------------------------------------43
附錄A 流程系統資訊安全風險值程式說明--------------------------------------47
A.1 程式碼:風險計算主畫面------------------------------------------------47
A.2 程式碼:讀取運算資料公用程式------------------------------------------56
A.3 程式碼:計算事件機率公用程式------------------------------------------57
A.4 程式碼:計算歷史風險值公用程式----------------------------------------58
A.5 程式碼:計算風險值公用程式--------------------------------------------59
A.6 程式碼:依連結型態計算風險值公用程式----------------------------------60
A.7 程式碼:改善方案選擇子畫面--------------------------------------------61
A.8 系統運作之事件紀錄資料------------------------------------------------68
A.9 節點連結性資料--------------------------------------------------------70
A.10 節點連結型態資料-----------------------------------------------------70
A.11 事件影響節點資料-----------------------------------------------------71
A.12 事件衝擊性資料-------------------------------------------------------71
A.13 節點權重資料---------------------------------------------------------72

[1]行政院國家資通安全會報.「資訊系統分類分級與鑑別機制參考手冊」. 行政院國家資通安全會報, 2010.

[2]李俊傑, 尹延齡, 林明昌.「值基於資通安全治理建構資訊安全風險評估機制-以國軍某單位為例」. 第十八屆國防管理學術暨實務研討會, 2010.

[3]林宸竹.「一個考量符合性與風險資訊呈現之資訊安全風險管理系統」.碩士學位論文, 國立台灣科技大學 資訊管理系, 2000.

[4]陳俊德.「具有或閘失誤樹於銀行批次作業之風險模式建構」. 管理與資訊學報, 民98, 14期, 1-48頁, 國立空中大學管理與資訊學系, 2009.

[5]瞿鴻斌.「資訊安全風險評估驗證系統」.碩士學位論文, 世新大學管理學院資訊管理學系, 2005.

[6]羅濟群, 王平, 趙國銘.「模糊群體決策環境下以OWA運算子進行風險分析」. 資管評論, 第14期:1--22頁, 2006.

[7] "ISO/IEC 13335". http://www.iso27001security.com/html/others.html.

[8] Jaya Bhattacharjee, Anirban Sengupta, Chandan Mazumdar, and Mridul Sankar Barik. "A two-phase quantitative methodology for enterprise information security risk analysis." InProceedings of the CUBE International Information Technology Conference, CUBE’12, pages 809–815, New York, NY, USA, 2012. ACM.

[9] Andreas Ekelhart, Stefan Fenz, and Thomas Neubauer. "Aurum: A framework for information security risk management". In 42st Hawaii International International Conference onSystems Science (HICSS-42 2009), Proceedings (CD-ROM and online), 5-8January 2009, Waikoloa, Big Island, HI, USA, pages 1–10. IEEE Computer Society,2009.

[10] Nan Feng and Jing Xie. "A bayesian networks-based security risk analysis modelfor information systems integrating the observed cases with expert experience".Scientific Research and Essays, 7:1103–1112, 2012.

[11] Paul R. Garvey. Analytical methods for risk management.A systems engineering perspective. Boca Raton, FL: CRC Press, 2009.

[12] Hoh Peter In, Young-Gab Kim, Taek Lee, Chang-Joo Moon, Yoon-Jung Jung, andIn-Jung Kim. "A security risk analysis model for information systems". In Doo-Kwon Baik, editor, AsiaSim, volume 3398 of Lecture Notes in Computer Science,pages 505–513. Springer, 2004.

[13] "iThome". http://www.ithome.com.tw/itadm/article.php?c=64866&s=2.

[14] Jeevan Jaisingh and Jackie Rees. "Value at risk: A methodology for information security risk assessment". In In Proceedings of the INFORMS Conference onInformation Systems and Technology, pages 3–4, 2001.

[15] DOUGLAS J. LANDOLL. The Security Risk Assessment Handbook -A Complete Guide for Performing Security Risk Assessments. Auerbach Publications, 2006.

[16] Pan Lei. "Dynamic evaluation model of security risk in information system". In Proceedings of the 2012 International Conference onComputer Science and Electronics Engineering - Volume 02, ICCSEE ’12, pages225–229, Washington, DC, USA, 2012. IEEE Computer Society.

[17] Shenyu Liu, Xi He, and Daofu Gong. "Bayesian decision based method for assetsrecognition of risk assessment". In IIH-MSP, pages 380–383, 2010.

[18] Idongesit Mkpong-Ru?n, David Umphress, John Hamilton, and JuanGilbert. "Quantitative software security risk assessment model". InProceedings of the 2007 ACM workshop on Quality of protection, QoP ’07, pages31–33, New York, NY, USA, 2007. ACM.

[19] Jing Mu and Zhicheng Wan. "A fuzzy approach for supply chain risk assessment".pages 429 – 431. Fuzzy Systems and Knowledge Discovery (FSKD), 2010.

[20] Hiromitsu Kumamoto Naoki Satoh. "Analysis of information security problem byprobabilistic risk assessment". INTERNATIONAL JOURNAL OF COMPUTERS,3:337–347, 2009.

[21] A. Sangrasi and K. Djemame. "Component level risk assessment ingrids: A probablistic risk model and experimentation". pages 68 – 75.Digital Ecosystems and Technologies Conference (DEST), 2011 Proceedings of the5th IEEE International Conference on, 2011.

[22] Prasad Saripalli and Ben Walters. "Quirc: A quantitative impact and risk assessmentframework for cloud security". In IEEE CLOUD, pages 280–288, 2010.

[23] "Information security standards". Iso/iec 27000 series,http://www.iso27001security.com/html/site map.html.

[24] Alireza Shameli Sendi, Masoume Jabbarifar, Mehdi Shajari, andMichel Dagenais. "Femra: Fuzzy expert model for risk assessment". In Proceedings of the 2010 Fifth International Conference onInternet Monitoring and Protection, ICIMP ’10, pages 48–53, Washington, DC,USA, 2010. IEEE Computer Society.

[25] "WWW site". http://www.cathayholdings.com.tw/new/a2.html.

[26] Terje and Aven. "A unified framework for risk and vulnerability analysis coveringboth safety and security". Reliability Engineering & System Safety, 92(6):745 – 754,2007.

[27] T. Voss and Arjen K. Lenstra. "Information security risk assessment, aggregation,and mitigation". In Information Security And Privacy, Proceedings, Lecture NotesIn Computer Science, pages 391–401. Springer-Verlag New York, Ms Ingrid Cunning-ham, 175 Fifth Ave, New York, Ny 10010 Usa, 2004.

[28] Jingguo Wang, Aby Chaudhury, and H. Raghav Rao. "Research note—a value-at-risk approach to information security investment". Info. Sys. Research, 19(1):106–120,March 2008.

[29] Jinan China Xue Liu ; Jian Zhang ; Weihua Yuan Wenjing Qi Sch. ofComput. Sci. & Technol., Shandong Jianzhu Univ. "Dynamic assessment and var-based quantification of information security risk". In e-Business and Information System Security (EBISS), 2010 2nd International Conference on, 2010.

[30] Cunlu Zhang and Peiqing Huang. "Supply chain risk by structure". pages 300 –303. Service Operations and Logistics, and Informatics, 2006. SOLI ’06. IEEE Inter-national Conference on, 2006.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔