考量控制措施間相互影響性之資訊安全風險評鑑__臺灣人文及社會科學引文索引資料庫

:::

詳目顯示

第 1 筆 / 總合 1 筆

/1頁

論文基本資料
摘要
外文摘要
參考文獻

題名：	考量控制措施間相互影響性之資訊安全風險評鑑
作者：	陳婉佳
作者(外文)：	Chen, Wan-Jia
校院名稱：	國立交通大學
系所名稱：	資訊管理研究所
指導教授：	羅濟群
學位類別：	博士
出版日期：	2012
主題關鍵詞：	資訊安全；風險評鑑；決策實驗室分析法；分析網路程序法；有序加權平均運算；模糊語意量子；熵值最大化法；Information security；Risk assessment；Decision Making Trial and Evaluation Laboratory；Analytic network process；Order weighted averaging operator；Fuzzy linguistic quantifiers；Maximum entropy method
原始連結：	連回原系統網址
相關次數：	被引用次數:期刊(0) 博士論文(0) 專書(0) 專書論文(0) 排除自我引用:0 共同引用:0 點閱:38

風險評鑑是資訊安全風險管理中相當重要的過程。組織透過風險評鑑決定出組織資訊系統中的風險，並提供充足的方法來降低這些風險。在實務上，實施在組織的資訊系統上的各個資訊安全控制項目並非是完全獨立的，因此在評估各項目的風險時應該要考量它們之間可能存在的相關性或互相影響。本論文提出一個考量控制措施間相互影響性的混合風險評鑑方法來評估組織資訊系統的風險等級。首先，本研究以決策實驗室 (Decision Making Trial and Evaluation Laboratory, DEMATEL) 分析法來建構出各控制措施類別之間的相互影響性。接著以決策實驗室分析法所建構出的各類別間相互影響的結果做為分析網路程序法(Analytic Network Process, ANP)的分析架構，再決定出風險發生的機率性，藉此本研究可以考量各控制措施群之間的相關性和相互影響性以符合實務上的實際狀況。再者，本研究以模糊語意量子引導熵值最大化之整合權值(Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging , FLQ-MEOWA) 運算法來整合各專家所評估的風險影響值，以減少極端值與主觀因素所產生的影響。最後，本研究將所提出的風險評鑑方法應用於X公司的資訊系統來驗證。藉由此研究實例確認本方法可以找出控制措施間相互影響性，所評估出的風險等級能反映控制措施間相互影響的問題，使得出的風險等級能提供參考作為決定出哪些資訊系統需要更進一步提升其資訊安全防護。

以文找文

Risk assessment is an important key step of the core process for information security risk management. Organizations use risk assessment to determine the risks within information systems and provide sufficient means to reduce the identified risks. In practical application, security controls applied to the information system areas are not completely independent, therefore during the process of risk assessment it is crucial to consider the interdependences among control families. In this thesis, a hybrid procedure for evaluating and identifying risk levels of information system security while considering interdependences amongst control families is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) method to construct interrelations amongst security control areas. Secondly, using the results from DEMATEL, the Analytic Network Process (ANP) method is used to obtain the likelihood ratings of risks; as a result, the proposed procedure can detect interdependences and feedback between security control families as well as identify priorities of areas requiring security measures in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic opinions. An application in company X was examined to verify the proposed procedure. After analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas as well as identifies information systems with higher risk levels where prioritized safeguard tactics should be considered.

以文找文

[1] Alberts, C. J., Dorofee, A., Managing Information Security Risks: The OCTAVE Approach, 22, Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2002
[2] Blakley, B., et al., "Information security is information risk management", Proceedings of the 2001 workshop on New security paradigms, Cloudcroft, New Mexico, 2001
[3] Boltz, J., et al., "Information security risk assessment-practices of leading organizations", GAO/AIMD-00-33, US Washington, DC: GAO (United States General Accounting Office)-Accounting and Information Management Division, 1999
[4] C&A Systems Security Limited, Consultative, Objective and Bi-functional Risk Analysis: COBRA Tools, ISO/IEC 17799 Compliance and Security Risk Analysis Approach, 2005, from http://www.security-risk-analysis.com/
[5] Carroll, J. M., "Decision support for risk analysis", Computers & Security, 2, 3, pp. 230-236, 1983
[6] Chang, S.-L., et al., "Applying fuzzy linguistic quantifier to select supply chain partners at different phases of product life cycle", International Journal of Production Economics, 100, 2, pp. 348-359, 2006
[7] Chiu, Y., et al., "Marketing strategy based on customer behaviour for the LCD-TV", International Journal of Management and Decision Making, 7, 2, pp. 143-165, 2006
[8] Filev, D., Yager, R. R., "Analytic properties of maximum entropy OWA operators", Information Sciences, 85, 1-3, pp. 11-27, 1995
[9] Filev, D., Yager, R. R., "On the issue of obtaining OWA operator weights", Fuzzy Sets and Systems, 94, 2, pp. 157-169, 1998
[10] FIPS, "Federal Information Processing Standards publications 200 Minimum Security Requirements for Federal Information and Information Systems", 2006
[11] Fontela, E., Gabus, A., The DEMATEL observer, DEMATEL 1976 report, 95, Battelle Geneva Research Center, Switzerland, Geneva, 1976
[12] Gabus, A., Fontela, E., World problems, an invitation to further thought within the framework of DEMATEL, 93, Battelle Geneva Research Center, Switzerland Geneva, 1972
[13] Gabus, A., Fontela, E., Perceptions of the world problematique: Communication procedure, communicating with those bearing collective responsibility (DEMATEL report), 1, 94, Battelle Geneva Research Centre, Switzerland Geneva, 1973
[14] Herrera, F., et al., "A sequential selection process in group decision making with a linguistic assessment approach", Information sciences, 85, 4, pp. 223-239, 1995
[15] Herrera, F., et al., "Direct approach processes in group decision making using linguistic OWA operators", Fuzzy Sets and Systems, 79, 2, pp. 175-190, 1996
[16] Hori, S., Shimizu, Y., "Designing methods of human interface for supervisory control systems", Control Engineering Practice, 7, 11, pp. 1413-1419, 1999
[17] Huang, C. Y., et al., "Reconfiguring the innovation policy portfolios for Taiwan's SIP Mall industry", Technovation, 27, 12, pp. 744-765, 2007
[18] Huang, J. J., et al., "Multidimensional data in multidimensional scaling using the analytic network process", Pattern Recognition Letters, 26, 6, pp. 755-767, 2005
[19] In, H. P., et al., "A Security Risk Analysis Model for Information Systems", pp. 505-513, 2005
[20] ISO/IEC, "ISO 27001:2005 Information technology -- Security techniques -- Information security management systems -- Requirements", 2005
[21] Jacobson, R. V., "CORA Cost-of-Risk Analysis", Painless Risk Management for Small Systems. International Security Technology, Inc., 96, 1996
[22] Kacprzyk, J., "Group decision making with a fuzzy linguistic majority", Fuzzy Sets and Systems, 18, 2, pp. 105-118, 1986
[23] Karabacak, B., Sogukpinar, I., "ISRAM: information security risk analysis method", Computers & Security, 24, 2, pp. 147-159, 2005
[24] Karsak, E. E., et al., "Product planning in quality function deployment using a combined analytic network process and goal programming approach", Computers & industrial engineering, 44, 1, pp. 171-190, 2003
[25] Lee, J. W., Kim, S. H., "Using analytic network process and goal programming for interdependent information system project selection", Computers and Operations Research, 27, 4, pp. 367-382, 2000
[26] Lin, Y.-H., et al., "The study of applying ANP model to assess dispatching rules for wafer fabrication", Expert Systems with Applications, 34, 3, pp. 2148-2163, 2008
[27] Liou, J. J. H., et al., "Airline safety measurement using a hybrid model", Journal of Air Transport Management, 13, 4, pp. 243-249, 2007
[28] Liu, F., et al., "Research on Fuzzy Group Decision Making in Security Risk Assessment", pp. 1114-1121, 2005
[29] Meade, L. M., Presley, A., "R&D project selection using the analytic network process", Engineering Management, IEEE Transactions on, 49, 1, pp. 59-66, 2002
[30] O'Hagan, M., "Aggregating template rule antecedents in real-time expert systems with fuzzy set logic", the 22nd Annual IEEE Asilomar Conference on Signals, Systems and Computers, pp. 681-689, 1988
[31] O’Hagan, M., "Using maximum entropy-ordered weighted averaging to construct a fuzzy neuron", pp. 618–623, 1990
[32] Peltier, T. R., Information Security Risk Analysis, 12, Auerbach Pub, 2005
[33] Richardson, R., CSI Computer Crime and Security survey, 2007, from http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf
[34] Richardson, R., CSI Computer Crime and Security survey, 2008, from http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
[35] Ross, R., et al., "Recommended Security Controls for Federal Information Systems(Special Publication 800-53 Revision 2)", 2007
[36] Saaty, R., Saaty, T., "Decision making in complex environment: the analytic hierarchy process (AHP) for decision making and the analytic network process (ANP) for decision making with dependence and feedback", Pittsburgh, PA: Creative Decisions Foundation, 2003
[37] Saaty, T. L., "The analytic hierarchy process", 1980
[38] Saaty, T. L., Decision making with dependence and feedback: the analytic network process., 68, RWS Publications Pittsburgh, PA, 1996
[39] Saaty, T. L., Theory and Applications of analytic network process, 102, RWS publications Pittsburgh, PA, 2005
[40] Seyed-Hosseini, S. M., et al., "Reprioritization of failures in a system failure mode and effects analysis by decision making trial and evaluation laboratory technique", Reliability Engineering & System Safety, 91, 8, pp. 872-881, 2006
[41] Shang, J. S., et al., "A Unified framework for multicriteria evaluation of transportation projects", IEEE Transactions on Engineering Management, 51, 3, pp. 300-313, 2004
[42] Stolen, K., et al., Model-based risk assessment–the CORAS approach, 2002, from http://www.nik.no/2002/Stolen.pdf
[43] Stoneburner, G., et al., Risk Management Guide for Information Technology Systems, 11, National Institute of Standards and Technology, 2002
[44] Suh, B., Han, I., "The IS risk analysis based on a business model", Information and Management 41, 2, pp. 149-158, 2003
[45] Tsai, W.-H., Chou, W.-C., "Selecting management systems for sustainable development in SMEs: A novel hybrid model based on DEMATEL, ANP, and ZOGP", Expert Systems with Applications, 36, 2, Part 1, pp. 1444-1458, 2009
[46] Tzeng, G. H., et al., "Evaluating intertwined effects in e-learning programs: A novel hybrid MCDM model based on factor analysis and DEMATEL", Expert Systems with Applications, 32, 4, pp. 1028-1044, 2007
[47] United Kingdom Central Computer and Telecommunications Agency, "CCTA risk analysis and management method, CRAMM user guide", 2001
[48] Wang, P., et al., "A fuzzy outranking approach in risk analysis of web service security", Cluster Computing, 10, 1, pp. 47-55, 2007
[49] Wu, W.-W., "Choosing knowledge management strategies by using a combined ANP and DEMATEL approach", Expert Systems with Applications, 35, 3, pp. 828-835, 2008
[50] Yager, R. R., "On ordered weighted averaging aggregation operators in multicriteria decisionmaking", Systems, Man and Cybernetics, IEEE Transactions on, 18, 1, pp. 183-190, 1988
[51] Yager, R. R., "Families of OWA operators", Fuzzy Sets and Systems, 59, 2, pp. 125-148, 1993
[52] Zadeh, L., "A computational approach to fuzzy quantifiers in natural languages", International series in modern applied mathematics and computer science, 5, pp. 149-184, 1983
[53] 紀岱玲, "供應商績效評估研究－結合ANP及DEMATEL之應用",碩士論文, 2006

推文
推薦
引用網址
引用嵌入語法
轉寄

top

:::

相關期刊
相關論文
相關專書
相關著作
熱門點閱

1.	財務永續目標之智慧國際機場物聯網平臺服務資訊策略最佳化組合研究
2.	運用多準則決策模式探討臺南大眾運輸系統之組合策略
3.	Transportation Policy Making Using MCDM Model: The Case of Hualien
4.	Multiple Generation Product Life Cycle Based Marketing Promotion Mix Strategy Definitions by Hybrid MCDM Methods
5.	軍事院校整併策略之研究
6.	以ISO 27001控制標準稽核證券商網路下單系統資訊安全之研究
7.	資訊資產分類與風險評鑑之研究--以銀行業為例
8.	具有或閘失誤樹於銀行批次作業之風險模式建構
9.	資訊安全風險評鑑驗證系統

1.	桃園航空城最適產業評估之實證研究
2.	中小企業創業政策評選模式：多準則決策模式應用
3.	多評準決策結合模糊決策圖結構化模型問題之研究

無相關書籍

無相關著作

1.	銀髮族休閒運動參與、家庭支持與幸福感關係之研究
2.	觀光吸引力、運動觀光吸引力與重遊意願關係之研究
3.	成敗自我價値後效對大學生憂鬱傾向的效果
4.	人身品牌忠誠與轉換之研究：偶像、消費者與媒體關係之探討
5.	資訊安全弱點管理之決策方法
6.	應用智慧型手機的市場反饋數據進行可靠度分析
7.	幸福感及其對健康的可能影響-以廣建理論層面而言
8.	台灣再生能源發展之經濟及系統動態分析
9.	多面向服務優化之探討
10.	心情對消費者多樣化選擇的影響
11.	應用模糊決策實驗室分析法於科技接受模式之分析
12.	員工協助方案與社會支持對員工困擾事件與幸福感的干擾效果研究
13.	產品外部線索對消費者知覺之影響-來源國形象、價格與品牌之ㄧ致性
14.	台灣經驗保險需求，金融發展與經濟成長的關係

QR Code

臺灣人文及社會科學引文索引資料庫系統

詳目顯示

臺灣人文及社會科學引文索引資料庫