Research On Information Security Evaluation For Website Security Evaluation Services

Website security evaluation service is an emerging third-party service,which can provide information security evaluation services, help enterprises to discover the existence of security vulnerabilities and threats,and also provide privacy and data protection services. However, some website security evaluation services remain "back door", embedded with other commercial services, leak the user information, which brings new security problems.In view of the security problems of website security evaluation services, the research work in this paper is as follow:(1) The main website security evaluation services are studied, and its service contents, evaluation methods and service processes are analyzed specifically.(2) Some information security problems which may exist in website security evaluation services are put forward, and the four aspects of these information security problems are summarized, which include the target security (website security), the evaluation tools security, the service process security and the personnel security. Then, according to these problems, the basic security requirements and principles that should be met by website security evaluation services are listed.(3) An information security evaluation model for website security evaluation services is built. According to information security problems which may exist in website security evaluation services, a security metrics system including about 70 indexes is designed, which is specific and comprehensive. And in this model, the weight of each metric are determined through a dual weighted method. Then, a fuzzy comprehensive evaluation method and an expert credibility weighting method are used to evaluate website security services. This model transforms the qualitative security evaluations into the quantitative scores, which effectively reduces the subjectivity of the expert opinions and the uncertainty of its evaluation.(4) A software to evaluate the security of website security evaluation services is designed and implemented. The security evaluation model is applied to this software, which uses the expert safety score to conduct a comprehensive security assessment of the website security assessment service. And this software has been used.Simulation experiments are carried out using different numbers of metric indexes to evaluation the security of some website security evaluation services. And the results show that this security metrics system is comprehensive, which can cover the key metrics in different environments. Then, this software was used to evaluate 32 website security evaluation services, and results show that 25% of these evaluation services are in a higher security risk, which indicates the urgency and necessity to evaluate the security of these services. The research of this paper not only makes users, websites and governments aware of the importance of the security evaluation for website security evaluation services, but also has a certain guiding significance for the government to evaluate and certify the information security of these third party services.