| Because of the information technologies development, especially the popularity of network, people pay more attention on the security of information system. But it' s not enough to rely on the security technologies or safety to solve all the problem of information security. The security of information system must be treated in a system engineering level, which means to do security risk management of information system.Decision driven security risk model use decision-focused, quantitative, analytic techniques. In this analytic process, the first step is to make Safeguard Selector; every different policy has different combinations of safeguards; second, calculate the cost of every possible policy. Third, analyze the safeguard reduction in both bad event frequencies and bad event consequences in a policy. Forth, according to expert' s judgments or result of analyzing history event data, evaluate the initial frequency and consequences of bad events. At last, using those value variables to calculate the net benefit of the policy, and compare the results among the policies, then find out the best policy.The main work of this dissertation is: According to security risk theory and decision analysis technique, build a decision driven security risk model, then give some equations for net benefit of security policy, and propose a method to evaluate frequency and consequences of bad events, at last demonstrate how this decision driven model is implemented in the security management platform. |
PDF Full Text Request