一個識別信息安全風(fēng)險的整體風(fēng)險分析方法【外文翻譯】

1、<p><b>　　畢業(yè)論文外文翻譯</b></p><p><b>　　原文</b></p><p>　　A HOLISTIC RISK ANALYSIS METHOD FOR DENTIFYING INFORMATION ECURITY RISK</p><p>　　Janine L. Spears</

2、p><p>　　The Pennsylvania State University, Smeal College of Business, University Park, PA 16802</p><p>　　Abstract: Risk analysis is used during the planning of information security to identify secu

3、rity requirements, and is also often used to determine the economic feasibility of security safeguards. The traditional method of conducting a risk analysis is technology-driven and has several shortcomings. First, its f

4、ocus on technology is at the detriment of considering people and processes as significant sources of security risk. Second, an analysis driven by technical assets can be overly time-consum</p><p>　　Keywords:

5、 risk analysis, informadon security, risk management, business process, data flow diagram,risk scenario.</p><p>　　1. INTRODUCTION</p><p>　　Managing information security is essentially managing a

6、 form of risk.The management of risk generally involves conducting a risk analysis to identify and evaluate risks, and then employing risk management techniques to mitigate or reduce risks where deemed appropriate. Likew

7、ise, the standard approach to managing information security involves conducting a risk analysis to identify risks to confidentiality, integrity, and availability of information systems, which is followed by risk manageme

8、nt wh</p><p>　　Traditional risk analysis methods applied to information systems focus foremost on technology with limited attention to people and processes.</p><p>　　However, an information syst

9、em is comprised of technology, people, processes, and data. Therefore, an effective security risk analysis must examine each of these aspects. As such, traditional risk analysis methods are seen as inadequate (e.g., Hall

10、iday et al., 1996; e.g., Gerber and von Solms, 2005). This paper examines the traditional risk analysis method, along with its strengths and limitations, and then proposes an alternative holistic method that addresses th

11、ese limitations.</p><p>　　The paper is organized as follows. The next section defines risk and describes the purpose of a risk analysis. §3 describes the traditional risk analysis method, along with its

12、 strengths and limitations. Next, a holistic risk analysis method is proposed in §4, followed by an example and the method's benefits. §5 describes evaluation criteria for a risk analysis and how it applies

13、 to the proposed method. §6 suggests future areas of research, followed by a conclusion in §7.</p><p>　　2. RISK ANALYSIS</p><p>　　Risk is defined as (a) the possibility of loss or inju

14、ry, and (b) the liability for loss or injury if it occurs (Merriam-Webster Inc., 1996). Risk analysis, in the context of information security, "is the process of examining a system and its operational context to det

15、ermine possible exposures and the potential harm they can cause" (Pfleeger and Pfleeger, 2003). Risk management involves using the output from risk analysis to determine the selection and implementation of controls

16、(safeguards) to </p><p>　　Risk analysis has traditionally been used in business for analyzing financial instruments and insurance products (e.g., Baskerville, 1991; Barrese and Scordis, 2003; Gerber and von

17、Solms, 2005). In both cases, risk </p><p>　　INFORMATION SECURITY</p><p>　　The traditional method for conducting information security risk analysis is technology-driven (e.g., Halliday et al., 19

18、96; Humphreys et al., 1998 p. 49; Gerber and von Solms, 2005) because it focuses primarily on known threats to types of computing assets employed by an organization. This is due in large part to the historical origin of

19、widely-used computer security guidelines (NIST, Common Criteria, RAND Corp, ISO 17799, SSE-CMM) that were initially developed for securing governmental and mili</p><p>　　For the purposes of this paper, the w

20、ord traditional is used to denote risk analysis practices generally cited in the literature as being the conventional r common approach (e.g., Halliday et al, 1996; Kolokotronis et al, 2002; Suh and Han, 2003; Tan, 2003)

21、. Steps in a traditional risk analysis are summarized in Figure 1.</p><p>　　The first step when conducting a risk analysis is to identify the IT assets to be protected. IT assets generally include hardware,

22、software, data, people, documentation, and applicable facilities (Suh and Han, 2003). Note that although people is typically included as a type of IT asset, traditional risk nalysis places minimal emphasis on people and

23、is typically concerned solely with user identification and authentication. However, risk may be incurred by the procedures that people use to handle </p><p>　　3.1 Strengths of Traditional Risk Analysis</p

24、><p>　　The traditional risk analysis method for information security has several advantages. First, the method is widely known as the de facto standard taught in textbooks and endorsed by industry-accepted secu

25、rity guidelines (e.g., NIST, 2002; Pfleeger and Pfleeger, 2003).</p><p>　　Second, given that traditional risk analysis has focused primarily on technology, this aspect of security has been richly developed.

26、For example, extensive lists of known threats and vulnerabilities to various technical assets are pubUcly available. These Hsts provide valuable guidance when conducting a risk analysis.</p><p>　　Third, auto

27、mated software packages are available that perform the detailed calculations and manage the risk analysis data. These software packages are based on the traditional method of risk analysis.</p><p>　　Fourth,

28、quantitative measures used in the traditional method can be used to support a cost-benefit analysis of investments in security safeguards. This is, of course, provided the calculations are reasonably accurate.</p>

29、<p>　　Finally, the traditional method of conducting a risk analysis for information security is closely related to risk analysis techniques employed in the financial and insurance sectors. This point, along with th

30、e mathematical foundation of the method, may add credibility. </p><p>　　3,2 Limitations of Traditional Risk Analysis</p><p>　　The traditional risk analysis method for information security has se

31、veral key limitations. First, this technology-driven method places very limited emphasis on the people and process aspects of information systems. This is a major oversight, given that people and processes are widely con

32、sidered to be the leading causes of security breaches (e.g., Siponen, 2000; Dhillon, 2001; Wade, 2004). In addition, there is no common approach to identifying which IT assets are to be included in the analysis. </p&g

33、t;<p>　　Second, estimates of expected losses are based on the value of assets, and are widely inaccurate for a variety of reasons. Determining the value of intangible assets, such as information, is considered dif

34、ficult, if not impossible, to estimate (Gerber and von Solms, 2005). Yet, information is one of the most important assets of an organization and is the focal point of information security. Estimates for the value of tang

35、ible assets may be inaccurate because in many cases only replacement costs </p><p>　　Third, probability estimates of the likelihood of an identified vulnerability being exploited are commonly considered to b

36、e wild uesswork. One reason for this is that likelihood is determined by past history of security breaches, and this is largely underreported (e.g., Strang, 2001; Yazar, 2002; Keeney et al, 2005). Another reason that est

37、imates of likelihood of occurrence are inaccurate is because making a more accurate estimate requires a high level of expertise by the estimator (e.g., Gerber</p><p>　　A fourth limitation of the traditional

38、method to risk analysis is the time and cost involved in conducting such an analysis. The bottom-up nature of the traditional method (i.e., driven from a micro, technology assets perspective) tends to be time-consuming,

39、especially in medium to large organizations (Halliday et al., 1996). Significant amounts of time may be spent analyzing assets of low importance to critical business processes.</p><p>　　A fifth limitation to

40、 a technology-focused analysis is that it is often solely conducted by IT professionals. This is problematic because business users are not involved, which only contributes to a lack of security awareness across an organ

41、ization. Equally important, risks inherent in business processes that may be identifiable by a business user may go undetected by an IT professional.</p><p>　　In summary, the traditional method of conducting

42、 risk analysis for information security employs calculations based largely on guesswork to estimate probability and financial loss of a security breach. Secondly, its focus on technology is at the detriment of considerin

43、g people and processes as significant sources of security risk. Finally, an IT-centric approach to security risk analysis does not involve business users to the extent necessary to identify a comprehensive set of risks,

44、or to promot</p><p>　　4. A PROPOSED HOLISTIC RISK ANALYSIS METHOD</p><p>　　A holistic risk analysis, as defined in this paper, is one that attempts to identify a comprehensive set of risks by fo

45、cusing equally on technology, information, people, and processes. The method is also holistic in nature by receiving input from a variety of participants within the organization, coupled with input from (security) indust

46、ry-accepted guidelines. The focus of this holistic method is on the identification of information security risks within critical business processes. Key aspects </p><p>　　Identifying risks that impact busine

47、ss processes provides a top-down analysis that defines the focus, scope, and relevance of the analysis. The proposed method, by its very nature, requires the involvement of a variety of senior management, business users

48、and IT professionals. Once IT assets are identified and analyzed by participants, the method makes use of publicly available security checklists and guidelines (e.g., CERT, NIST) in order to capture known threats and vul

49、nerabilities. Qualitativ</p><p><b>　　譯文：</b></p><p>　　一個識別信息安全風(fēng)險的整體風(fēng)險分析方法</p><p><b>　　吉妮L.斯皮爾斯</b></p><p>　　（賓夕法尼亞大學(xué)，斯米爾商學(xué)院大學(xué)園區(qū)，PA 16802）</p&

50、gt;<p>　　摘要：風(fēng)險分析過程中使用的信息安全規(guī)劃確定的安全要求，也常常被用來確定安全保障的經(jīng)濟可行性。對風(fēng)險進行分析的傳統(tǒng)方法是技術(shù)驅(qū)動，有以下幾個缺點。第一，其技術(shù)重點是考慮人民和安全風(fēng)險的重要來源進程所造成的損害；第二，由技術(shù)驅(qū)動的資產(chǎn)分析既過分耗時又過分費錢；第三，傳統(tǒng)的風(fēng)險分析方法采用的計算主要是以猜測來估計安全漏洞的經(jīng)濟損失的概率；最后，IT中心的安全風(fēng)險分析方法在一定程度上不需要涉及商業(yè)用戶，以確保一套

51、完整的風(fēng)險機制，或促進整個組織的安全意識。本文提出了一種全面替代風(fēng)險分析方法。一個全面的風(fēng)險分析在本文中的定義，是指試圖找出以同樣的技術(shù)、信息、人員和流程為重點的一整套的風(fēng)險。該方法是由提供重點和相關(guān)性分析的關(guān)鍵業(yè)務(wù)流程指導(dǎo)。該方法的關(guān)鍵方面包括一個業(yè)務(wù)驅(qū)動的分析，用戶的分析，架構(gòu)和數(shù)據(jù)流圖的參與。作為一種確定相關(guān)的IT資產(chǎn)，風(fēng)險情景捕捉程序和安全細節(jié)的定性估計的手段。人們在分析中與所涉及的工具混合預(yù)期會導(dǎo)致對已知風(fēng)險的一個更加全面的安

52、全意識，并在整個組織中顯著增加。</p><p>　　關(guān)鍵字：風(fēng)險分析，信息安全，風(fēng)險管理，業(yè)務(wù)流程</p><p><b>　　1．引言</b></p><p>　　信息安全管理本質(zhì)上是經(jīng)營風(fēng)險的形式。風(fēng)險管理一般包括進行風(fēng)險分析，以識別和評估風(fēng)險，然后運用風(fēng)險管理技術(shù)，以減輕或減少適當(dāng)?shù)娘L(fēng)險。同樣，標準的方法是以管理信息安全涉及的風(fēng)險分析來

53、確定風(fēng)險的保密性，完整性和信息系統(tǒng)的可用性，即是用風(fēng)險管理保障來降低風(fēng)險的。</p><p>　　傳統(tǒng)的風(fēng)險分析方法應(yīng)用的信息系統(tǒng)的重點，首先是有限的人員和流程方面的技術(shù)。一個信息系統(tǒng)包括技術(shù)、人員、流程和數(shù)據(jù)，因此，一個有效的風(fēng)險安全分析必須審查每個方面。所以，傳統(tǒng)的風(fēng)險分析方法還有很多的不足（例如，哈利迪等人，1996年;如嘉寶和馮蓮，2005）。本文探討了傳統(tǒng)的風(fēng)險分析方法及其優(yōu)勢和局限性，并提出一種替代方

54、法，全面解決這些限制。</p><p>　　本文的結(jié)構(gòu)如下，接下來的部分是定義風(fēng)險和描述風(fēng)險分析的目的。在§3介紹了傳統(tǒng)的風(fēng)險分析方法，以及它的長處和局限性。接下來，在§ 4中提出一個整體的風(fēng)險分析方法，其次是一個例子和該方法的好處。§ 5描述了風(fēng)險分析和評估標準以及如何使用于該方法。§ 6建議未來的研究領(lǐng)域，緊接著是§ 7結(jié)論。</p><p

55、><b>　　2．風(fēng)險分析</b></p><p>　　風(fēng)險的定義為：（a）損失或傷害的可能性，以及（b）對發(fā)生的損失或的賠償責(zé)任（Merriam - Webster的公司，1996年）。風(fēng)險分析，在信息安全中的內(nèi)容，“是一個檢驗一個系統(tǒng)及其業(yè)務(wù)范圍，以確定其可能會導(dǎo)致風(fēng)險和潛在的傷害的過程”（Pfleeger和Pfleeger，2003）。風(fēng)險管理涉及到使用以風(fēng)險分析的輸出來確定選擇

56、和控制實施（保障措施），以降低風(fēng)險（嘉寶和馮蓮，2005）。</p><p>　　風(fēng)險分析在傳統(tǒng)上一直用于商業(yè)分析、金融工具和保險產(chǎn)品(e.g., Baskerville,1991;Barrese and Scordis, 2003; Gerber and von Solms, 2005)</p><p>　　在這兩種情況下，風(fēng)險分析是由資產(chǎn)價值的定量分析，以確定在金融工具投資或保產(chǎn)品的可

57、行性。同樣，在信息安全，（阿爾貝茨和Dorofee，2001年）風(fēng)險分析經(jīng)常被用來確定在安全保障投資的可行性，降低信息安全（巴斯克維爾，1991年）的風(fēng)險。進行風(fēng)險分析的另一個關(guān)鍵的原因是為了識別安全要求，這是本文的重點。（ISO /符合IEC 17799）。</p><p>　　3.傳統(tǒng)的信息安全風(fēng)險分析</p><p>　　信息安全風(fēng)險分析的傳統(tǒng)方法是技術(shù)驅(qū)動。（例如，哈利迪等，199

58、6;堪等人，1998年第49;嘉寶和馮蓮，2005）。因為它主要側(cè)重于對一個組織使用的計算資產(chǎn)類型的已知威脅。由于歷史淵源，這在很大程度上要廣泛使用的計算機安全準則（NIST的共同準則，蘭德公司，國際標準化組織17799，SSE - CMM的），起初制定是為確保政府和軍隊的計算基礎(chǔ)設(shè)施的。鑒于這些領(lǐng)先的安全準則不是最初的信息系統(tǒng)內(nèi)發(fā)展的營商環(huán)境，缺乏用來確定有關(guān)的人（內(nèi)部和外部的組織）和業(yè)務(wù)流程風(fēng)險的方法。</p><

59、;p>　　對于本文的目的，傳統(tǒng)這個詞是用來表示傳統(tǒng)的風(fēng)險分析慣例，一般在文獻中提到，因為這是傳統(tǒng)的或習(xí)慣的方法（如哈利迪等，1996; Kolokotronis等，2002; Suh，漢族，2003年;譚，2003）。傳統(tǒng)的風(fēng)險分析步驟，如圖1所示。</p><p>　　第一步是進行風(fēng)險分析，以確定IT資產(chǎn)得到保護。IT資產(chǎn)一般包括硬件，軟件，數(shù)據(jù)，人員，文檔和適用的設(shè)施（Suh and Han，2003年

60、）。請注意，雖然人們通常是作為IT資產(chǎn)的一種類型，傳統(tǒng)的風(fēng)險分析對人通常是最小的重視，常常是關(guān)注于用戶識別和認證。不過人們在處理信息的程序中可能會招致風(fēng)險。接下來，每一個確定的資產(chǎn)，威脅（可能發(fā)生的不良事件）和弱點（現(xiàn)有弱點）與保密性，完整性和可用性鑒定，這通常是通過使用標準的確定清單局（NIST，2005年）和專業(yè)知識的安全分析師而決定的。然后，量化風(fēng)險的可能性（即概率）即是一個安全事件的發(fā)生（即一個漏洞會被利用）乘以這類事件的預(yù)期金

61、錢損失（風(fēng)險=預(yù)期損失*概率）。此公式用于計算能降低風(fēng)險到一個可接受水平的安全保障措施的成本效益分析（例如，Pfleeger和Pfleeger，2003;談，2003年; 嘉寶和馮蓮，2005）。</p><p>　　3.1傳統(tǒng)風(fēng)險分析的優(yōu)勢</p><p>　　傳統(tǒng)的信息安全風(fēng)險分析的方法有很多個。第一，該方法被廣泛認為事實上得到了標準教科書中的知名教授和業(yè)界公認的安全準則的認可（例如，

62、NIST的，2002年; Pfleeger和Pfleeger，2003年）。</p><p>　　第二，由于傳統(tǒng)的風(fēng)險分析主要側(cè)重于技術(shù)，安全的這個方面已得到繁榮的發(fā)展。例如，已知威脅和各種技術(shù)資產(chǎn)漏洞的詳盡清單是公開的。 這些名單在進行風(fēng)險分析時提供寶貴的指導(dǎo)。</p><p>　　第三，自動化的軟件包現(xiàn)已推出用以執(zhí)行詳細的計算和風(fēng)險分析數(shù)據(jù)的管理。這些軟件包是基于風(fēng)險分析的傳統(tǒng)方法的

63、。</p><p>　　第四，傳統(tǒng)的方法中的量化措施的使用可以用來支持在安全保障下的投資成本效益分析，當(dāng)然，這里提供的計算是相當(dāng)準確。</p><p>　　最后，傳統(tǒng)的信息安全風(fēng)險分析方法，與金融和保險部門就業(yè)中的風(fēng)險分析技術(shù)也密切相關(guān)。在這一點上，隨著該方法的數(shù)學(xué)基礎(chǔ)，可信度將越來越大。</p><p>　　3．2傳統(tǒng)風(fēng)險分析的局限性</p><

64、;p>　　傳統(tǒng)的信息安全風(fēng)險分析的方法有幾個主要的局限。首先，這個技術(shù)驅(qū)動的方法，對人員和信息系統(tǒng)流程的各個方面都只有非常有限的作用。這是一個重大的監(jiān)督，由于人員和流程被廣泛認為是安全隱患的主要原因（如Siponen，2000年; Dhillon，2001;韋德，2004年）。此外，有沒有共同的方法來確定哪些IT資產(chǎn)將被納入分析，IT專業(yè)人士開發(fā)的技術(shù)資產(chǎn)清單可能并不重要，用戶開發(fā)的電子表格和應(yīng)用程序包含重大的安全隱患。具體的機密

65、信息，保證維護也可以被忽略掉的。</p><p>　　第二，基于資產(chǎn)價值的預(yù)期損失估計，普遍是由于不確定的原因。確定的無形資產(chǎn)，如信息、價值，就算不是不可能的，估計也是困難的（嘉寶和馮蓮，2005）。然而，信息是一個組織的最重要的資產(chǎn)之一，是信息安全的焦點。關(guān)于有形資產(chǎn)的價值估計可能不準確，因為只有考慮重置成本，其中不包括由于操作中斷等許多案件的經(jīng)濟損失.（Suh，Han，2003年）在那里的業(yè)務(wù)運作成本，包括在

66、資產(chǎn)價值的情況下，估計是非常主觀的。最后，以資產(chǎn)價值為基礎(chǔ)的預(yù)期經(jīng)濟損失通常不包括一個可能的違約行為，如客戶的信任缺失所帶來的社會影響（Bennett和Kailay，1992年）。</p><p>　　第三，經(jīng)認定的漏洞被利用的可能性的概率估計，通常被認為是胡亂猜測。原因之一是這是由過去的歷史決定的安全漏洞的可能性。這在很大程度上是低報的。（例如，斯特朗，2001年; Yazar，2002;基尼等，2005）。另

67、一個原因就是發(fā)生的可能性估計是不準確的，因為作出更準確的估計需要專業(yè)知識的估計（如Gerber和馮蓮，2005年），一個組織可能不具備較高的水平。見巴斯克維爾（1991）在傳統(tǒng)的弱勢數(shù)量估計的固有風(fēng)險分析，這有待進一步的討論。</p><p>　　傳統(tǒng)風(fēng)險分析方法的第四個限制是時間和進行這種分析所涉及的費用。傳統(tǒng)方法中自下而上的性質(zhì)（即從微觀，技術(shù)資產(chǎn)的角度驅(qū)動）往往很費時，尤其是在中、大型組織中（如哈利迪等。1

68、996）。大量的時間花在分析關(guān)鍵業(yè)務(wù)流程中不是那么重要的資產(chǎn)部分。 </p><p>　　對以技術(shù)為重點的分析的第五個限制是，它常常只能由專業(yè)人士進行。這個問題因為不涉及商務(wù)用戶，所以只是導(dǎo)致整個組織缺乏安全性認識。同樣重要的是，業(yè)務(wù)流程中的風(fēng)險可能未被IT專業(yè)人士發(fā)現(xiàn)而是被商業(yè)用戶識別。</p><p>　　總之，開展信息安全風(fēng)險分析的傳統(tǒng)方法的使用在很大程度上以猜測來估計概率和安全漏洞

69、的經(jīng)濟損失的計算。其次，其技術(shù)重點是考慮對人員和安全分析的重要來源的進程所造成的損害。最后，IT中心的安全風(fēng)險分析方法在一定程度上不涉及商業(yè)用戶，以確定一套全面的風(fēng)險，或促進整個組織的安全意識。</p><p>　　4．提議的一種整體風(fēng)險分析方法</p><p>　　本文定義的一個全面的風(fēng)險分析是一個嘗試專注于全面識別同一套技術(shù)中的風(fēng)險、信息、人員和流程。該方法也由整體性質(zhì)接收來自組織內(nèi)各

70、種參與者的投入，再加上從（安全）行業(yè)公認的準則輸入。這種全面的方法重點是對關(guān)鍵業(yè)務(wù)流程中的信息安全風(fēng)險識別。該方法的主要包括用戶分析，業(yè)務(wù)驅(qū)動的分析，系統(tǒng)圖參與等方法提取相關(guān)的科技資產(chǎn)資訊并進行定性分析。</p><p>　　識別風(fēng)險影響的業(yè)務(wù)流程提供了一個自上而下重點分析方法，包括定義、范圍以及相關(guān)的分析。該方法的提出，就其本質(zhì)來說，需要各種高級管理人員的參與，業(yè)務(wù)用戶和IT專業(yè)人士。一旦IT資產(chǎn)與會者確定和分