| With the rapid development of computer technology and network technology, ensuring the information security has become an increasingly important but tough problem. In order to ensure the information security, we need to put in a lot of human and material resources to closely monitor network and information systems situation, and work on security construction and management according to corresponding security level. In order to predict and prevent possible security risks; to detect security threats and locate their sources; to analyze the impact of security risks and problems; and to assess the damage of security risks and problems, we need to perform risk assessment for information security, which is not only the basis but also an important means of ensuring information security.There are various methods for information security risk assessment. AHP (Analytic Hierarchy Process) is the most widely used one. The general process of AHP is like below: Firstly, identify the most related factors and establish the Threaten Identification Hierarchical Model and Vulnerability Identification Hierarchical Model for information security risks; then, compare every two elements to determine the relative importance of each element; finally, judge the comprehensive weight for each element. However, there might be a number of uncertain factors during the AHP process, for example, none of the elements are related to each other; the expert's personal preference or other subjective factors could make assessment results inaccurate. How to enhance the AHP to make its assessment more accurate in above cases is a problem that needs to be solved.What the thesis discussed is that how to make use of the Gray System Theory and the Dempster-Shafer Theory of Evidence to improve the AHP assessment effects. The Gray System Theory is about "Poor" Information Modeling Approach. In other words, it is a modeling approach under the condition of the lack of information or inadequate information. It provides a way to solve the modeling problem for those systems whose external information are clear and but internal rules are blur. The risks in the Information systems are applicable for the scenario of poor information modeling, so that in this thesis, the author leverages the Gray Theory to build the information risk assessment model. However, leveraging the Gray System Theory only can not eliminate man-made impact towards assessment results. Therefore, we need to involve the Dempster-Shafer (D-S) Theory of Evidence, which is an uncertainty reasoning and decision-making theory. Compared to the Probability Decision Theory, the D-S Theory of Evidence can not only deal with the uncertainty caused by inaccurate knowledge, but is also applicable to axiomatic systems that even weaker than probability. Then using the evidence combination rules to combine various expert opinions, and to make the final results completely reflect the opinions of all experts. In this paper, the numerical scores are turned into the probability of scores located in a specific range, in order to prevent the impact of individual factors in expert assessment.When the probability is known, the theory of evidence becomes a theory of probability, which is more appropriate for the integration of uncertain information.Using the method given by the thesis can remedy the defects of AHP, such as the inaccuracy of qualitative and measurable assessment caused by inadequate information; as well as inaccuracy of assessment results caused by experts' personal preference or other subjective factors, so as to achieve a scientific, objective, accurate and reasonable assessment of information security. |
PDF Full Text Request