An Information System Risk Assessment Method Based on Risk Propagation

doi:10.13190/j.jbupt.2021-019

Journal of Beijing University of Posts and Telecommunications ›› 2021, Vol. 44 ›› Issue (4): 41-48.doi: 10.13190/j.jbupt.2021-019

• PAPERS • Previous Articles Next Articles

An Information System Risk Assessment Method Based on Risk Propagation

YANG Hong-yu^1,2, ZHANG Le², ZHANG Liang³

1. College of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China;
2. College of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China;
3. College of Information, University of Arizona, Tucson AZ 85721, USA

Received:2021-02-02 Published:2021-07-13

Abstract

Abstract: Traditional information system risk assessment methods do not consider the state change of nodes and the direction of risk propagation, and the accuracy of the evaluation results is affected by the subjectivity of experts. To solve these problems, an information system risk assessment method based on risk propagation is proposed. First, the initial state transition probability matrix of the node is determined, and the node state transition probability is obtained by modifying the matrix according to the attack attributes. Then, the propagation probability of nodes in all directions is calculated based on the topology network and node attribute value.Next, the three-parameter interval number method is used to obtain the quantitative value of node threat events. Finally, the risk value of each node is calculated according to the risk assessment method. Experimental results show that the proposed methodis more objective and reasonable, and it improves the integrity and accuracy of the risk assessment of information systems.

Key words: risk assessment, risk propagation, state transition probability, propagation probability, three-parameter interval number

CLC Number:

TP309

YANG Hong-yu, ZHANG Le, ZHANG Liang. An Information System Risk Assessment Method Based on Risk Propagation[J]. Journal of Beijing University of Posts and Telecommunications, 2021, 44(4): 41-48.

References

[1] 许硕, 唐作其, 王鑫. 基于D-AHP与灰色理论的信息安全风险评估[J]. 计算机工程, 2019, 45(7):194-202. Xu Shuo, Tang Zuoqi, Wang Xin. Information security risk assessment based on D-AHP and grey theory[J]. Computer Engineering, 2019, 45(7):194-202.
[2] 赵刚, 吴天水. 结合灰色网络威胁分析的信息安全风险评估[J]. 清华大学学报(自然科学版), 2013, 53(2):1761-1767. Zhao Gang, Wu Tianshui. Information security risk assessment based on G-ANP[J]. Journal of Tsinghua University (Science and Technology), 2013, 53(2):1761-1767.
[3] Antonio R, Ortega F, Ramrio C. A method for the evaluation of risk in IT projects[J]. Expert Systems with Applications, 2016, 45(C):273-285.
[4] Hong Q, Jian W T, Zheng T, et al. An information security risk assessment algorithm based on risk propagation in energy Internet[C]//2017 IEEE Conference on Energy Internet and Energy System Integration (EI2). Beijing:IEEE, 2017:1-6.
[5] Feng N, Wang H J, Li M Q. A security risk analysis model for information systems:causal relationships of risk factors and vulnerability propagation analysis[J]. Information Sciences, 2014, 6:57-73.
[6] Brin S, Page L. The anatomy of a large-scale hyper textual web search engine[J]. Computer Networks and ISDN Systems, 1998, 30(1):107-117.
[7] 席荣荣, 云晓春, 张永铮, 等. 一种改进的网络安全态势量化评估方法[J]. 计算机学报, 2015, 38(4):749-758. Xi Rongrong, Yun Xiaochun, Zhang Yongzheng, et al. An improved quantitative evaluation method for network security[J]. Chinese Journal of Computers, 2015, 38(4):749-758.
[8] Whitman M, Mattord H, Whitman, et al. Principles of information security[M]. Beijing:Tsinghua University Press, 2003:60-64.
[9] 中国国家标准化管理委员会. 信息安全风险评估规范:GB/T 20984-2007[S]. 北京:中国标准出版社, 2007:6-8. The standardization administration of China. Information security risk assessment specification:GB/T 20984-2007[S]. Beijing:Standards Press of China, 2007:6-8.
[10] 黄玉洁, 唐作其, 梁静. 基于信息熵与三参数区间的信息安全风险评估[J]. 计算机工程, 2018, 44(12):178-183. Huang Yujie, Tang Zuoqi, Liang Jing. Information security risk assessment based on information entropy and three-parameter interval[J]. Computer Engineering, 2018, 44(12):65-69.
[11] 林健, 姜永. 基于三参数区间数型偏好序的群决策方法[J]. 山东大学学报(理学版), 2011, 46(7):65-69. Lin Jian, Jiang Yong. Information security risk assessment based on information entropy and three-parameter interval[J]. Journal of Shandong University (Natural Science), 2011, 46(7):65-69.

An Information System Risk Assessment Method Based on Risk Propagation

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 7

Recommended Articles

Metrics

Comments

[1]	YANG Hongyu, YUAN Haihang, ZHANG Liang. A Risk Assessment Method of Network Host Node with Host Importance [J]. Journal of Beijing University of Posts and Telecommunications, 2022, 45(2): 16-21.
[2]	ZHAO Jian, WANG Rui, LI Zheng-min, LEI Min, MA Min-yao. Security Threats and Risk Assessment of IoT System [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2017, 40(s1): 135-139.
[3]	LEI Min, LIU Xiao-ming, ZHANG Hong, WANG Mian, YANG Yu. Research on Security Threats and Risk Assessment of Web Information System [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2016, 39(s1): 87-93.
[4]	GE Hai-hui, ZHENG Shi-hui, CHEN Tian-ping, YANG Yi-xian. Fuzzy Risk Assessment of Information Security Threat Scenario [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2013, 36(6): 89-92,107.
[5]	. Network Security Analysis Based on Host-Security-Group [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2012, 35(1): 19-23.
[6]	WU Huan, PAN Lin, WANG Xiao-zhen, XU Rong-sheng. A Risk Assessment Model Using Incomplete Attack Graphs Analysis [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2010, 33(3): 57-61.
[7]	LuZhenbang,ZHOU Bo. Hierarchical Risk Assessment Based on Shapley Entropies and Choquet Integrals [J]. JOURNAL OF BEIJING UNIVERSITY OF POSTS AND TELECOM, 2009, 32(6): 83-87.