資訊安全弱點管理之決策方法__臺灣人文及社會科學引文索引資料庫

:::

詳目顯示

第 1 筆 / 總合 1 筆

/1頁

論文基本資料
摘要
外文摘要
參考文獻

題名：	資訊安全弱點管理之決策方法
作者：	黃健誠
作者(外文)：	Chien-Cheng Huang
校院名稱：	國立臺灣大學
系所名稱：	資訊管理學研究所
指導教授：	林永松
學位類別：	博士
出版日期：	2014
主題關鍵詞：	資訊安全弱點；資訊安全評估；模糊層級分析法；模糊綜合決策；模糊積分決策；防禦資源配置；security vulnerability；security evaluation；fuzzy analytic hierarchy process；fuzzy synthetic decision making；fuzzy integral decision making；defense resource allocation
原始連結：	連回原系統網址
相關次數：	被引用次數:期刊(0) 博士論文(0) 專書(0) 專書論文(0) 排除自我引用:0 共同引用:0 點閱:20

本研究主要建立能反映弱點資訊安全程度之分析模式，據以作為評估資訊系統危險程度、篩選危險弱點及改善資訊系統危險因子之基礎。本研究提出應用模糊層級分析法，將影響資訊安全之弱點的交叉因素系統化並建立評估架構。首先，經由模糊德菲法篩選出主要影響資訊安全的層面及其相對影響因素，然後建立各因素之隸屬函數，組成弱點資訊安全程度之模糊綜合決策模式，可以瞭解各弱點在主要影響層面的資訊安全表現程度，藉以瞭解資訊系統安全潛在危險因子，作為改善方案之參考依據。其次，提出改進傳統模糊綜合決策模式假設各評估層面及評估準則間之加法性與獨立性的糢糊測度方式，建立弱點資訊安全程度模糊積分決策模式，考量現實人類主觀評價之特性。本研究結果顯示評估模式具有實用性，並且可應用於評量新發現的弱點之資訊安全程度；在模糊積分決策於模式建立過程中顯示，可充分反應出重要影響資訊安全層面間之加乘影響的特性。另一方面，根基於前述研究結果之權重及資訊安全程度，在有限的防禦資源限制下，提出資訊安全弱點管理之防禦資源配置策略，來最大化資訊安全效益，以提高防禦能力。分析此問題為非線性規劃的數學最佳化問題，本研究經由求解找出較佳的防禦資源配置，並進行分析與探討。

以文找文

The aim of this study is to formulate an analysis model that can express security vulnerability grades and serve as a basis for the evaluation of information program danger levels or for filtering hazardous system vulnerabilities, and to improve it to counter various security threats. Using a fuzzy analytic hierarchy process, this paper organizes crossover factors of system blind spots, and builds an evaluation framework. First, via the fuzzy Delphi method, aspects and relative determinants affecting security are screened. It then identifies the value equation of each factor, and settles the fuzzy synthetic vulnerability decision-making model. This model can analyze the various degrees to which vulnerabilities affect system security, and this information will serve as a basis for future ameliorations of the system itself. This study also proposes an improvement from the traditional fuzzy synthetic decision-making model for measuring the fuzziness between the enhancement and independence of various aspects and criteria. Furthermore, taking human subjectivity into consideration, this paper constructs a fuzzy integral decision-making model. The case study demonstrates that the evaluation model in question is practical and can be applied to new vulnerabilities to measure their degree of penetration. In addition, the fuzzy integral decision-making model emphasizes the multiply-add effect between various factors influencing information security. On the other hand, based on the above results’ weight and security level, with limited defense resources, this research proposes defense resource allocation strategies for security vulnerability management in order to maximize security utility and improve defense capability. As the problem is a mathematical optimization problem of nonlinear programming, this study finds the near optimal defense resource allocations for analysis and discussion through the problem-solving process.

以文找文

Alhazmi, O.H., Malaiya, Y.K., 2008. Application of vulnerability discovery models to major operating systems. IEEE Transactions on Reliability 57 (1), 14-22.
Alhazmi, O.H., Malaiya, Y.K., Ray, I., 2007. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers &; Security 26 (3), 219-228.
Anderson, R., Moore, T., 2006. The economics of information security. Science 314 (5799), 610-613.
Andrew, C., 2005. The five Ps of patch management: is there a simple way for businesses to develop and deploy an advanced security patch management strategy? Computers &; Security 24 (5), 362–363.
Arbaugh, W.A., Fithen,W.L., McHugh, J., 2000. Windows of vulnerability: a case study analysis. Computer 33 (12), 52-59.
Arora, A., Caulkins, J.P., Telang, R., 2006. Research note-sell first, fix later: impact of patching on software quality. Management Science 52 (3), 465-471.
Arora, A., Krishnan, R., Telang, R., Yang, Y., 2010. An empirical analysis of software vendors’ patch release behavior: impact of vulnerability disclosure. Information System Research 21 (1), 115-132.
Arora, A., Telang, R., 2005. Economics of software vulnerability disclosure. IEEE Security &; Privacy 3 (1), 20-25.
Arora, A., Telang, R., Xu, H., 2008. Optimal policy for software vulnerability disclosure. Management Science 54 (4), 642-656.
August, T., Tunca, T.I., 2006. Network software security and user incentives. Management Science 52 (11), 1703-1720.
August, T., and Tunca, T.I., 2008. Let the pirates patch? an economic analysis of software security patch restrictions. Information Systems Research 19 (1), 48-70.
Austin, R.D., Darby, C.A.R., 2003. The myth of secure computing. Harvard Business Review 81 (6), 120-126.
Beres, Y., Griffin, J., Shiu, S., Heitman, M., Markle, D., Ventura, P., 2008. Analysing the performance of security solutions to reduce vulnerability exposure window. Proceedings of the 24th Annual Computer Security Applications Conference, pp. 33-42.
Beres, Y., Griffin, J., 2012. Optimizing network patching policy decisions. Gritzalis, D., Furnell, S., and Theoharidou, M. (Eds.), Information Security and Privacy Research, Springer Berlin Heidelberg, IFIP Advances in Information and Communication Technology 376, 424-442.
Bortolan, G., Degani, R., 1985. A review of some methods for ranking fuzzy subsets. Fuzzy Sets and Systems 15 (1), 1-19.
Brykczynski, B., Small, R.A., 2003. Reducing internet-based intrusions: effective security patch management. IEEE Software 20 (1), 50-57.
Buckley, J.J., 1985a. Ranking alternatives using fuzzy numbers. Fuzzy Sets and Systems 15 (1), 21-31.
Buckley, J.J., 1985b. Fuzzy hierarchical analysis. Fuzzy Sets and Systems 17 (3), 233-247.
Buckley, J.J., 2004. Fuzzy Statistics. First edition, Springer, Birmingham, AL, USA.
Carr, N.G., 2003. IT doesn’t matter. Harvard Business Review 81 (5), 41-49.
Cavusoglu, H., Cavusoglu, H., Raghunathan, S., 2007. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Transactions on Software Engineering 33 (3), 171-185.
Cavusoglu, H., Cavusoglu, H., Zhang, J., 2008. Security patch management: share the burden or share the damage. Management Science 54 (4), 657-670.
Cavusoglu, H., Mishra, B., Raghunathan, S., 2004. The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9 (1), 69-104.
Chen, S.J., Hwang, C.L., 1992. Fuzzy Multiple Attribute Decision Making: Methods and Applications – A State-of-the-art Survey. Springer-Verlag, New York, NY, USA, pp. 465-486.
Chen, T.Y., Wang, J.C., 2001. Identification of λ-fuzzy measures using sampling design and genetic algorithms. Fuzzy Sets and Systems 123 (3), 321-341.
Choquet, G., 1953. Theory of capacities. Annales de l''institut Fourier 5, 131-295.
Crampton, J., 2011. Practical and efficient cryptographic enforcement of interval-based access control policies. ACM Transactions on Information and System Security 14 (1), Article no. 14.
Delgado, M., Verdegay, J.L., Vila, M.A., 1988. A Procedure for Ranking Fuzzy Numbers Using Fuzzy Relations. Fuzzy Sets and Systems 26 (1), 49-62.
Farash, M.S., Bayat, M., Attari, M.A., 2011. Vulnerability of two multiple-key agreement protocols. Computers &; Electrical Engineering 37 (2), 199-204.
Fisher, M.L., 1981. The Lagrangean relaxation method for solving integer programming problems. Management Science 27 (1), 1-18.
Fisher, M.L., 1985. An applications oriented guide to Lagrangean relaxation. Interfaces 15 (2), 10-21.
Forcht, K.A., 1994. Computer Security Management. Boyd &; Fraser, Danvers, MA, USA.
Geoffrion, A.M., 1974, Lagrangean relaxation and its use in integer programming. Mathematical Programming Study 2, 82-114.
Gerace, T., Cavusoglu, H., 2009. The critical elements of the patch management process. Communications of the ACM 52 (8), 117-121.
Goel, S., Shawky, H.A., 2009. Estimating the market impact of security breach announcements on firm values. Information &; Management 46 (7), 404-410.
Gordon, L.A., Loeb, M.P., 2002. The economics of information security investment. ACM Transactions on Information and System Security 5 (4), 438-457.
Gordon, L.A., Loeb, M.P., Sohail, T., 2010. Market value of voluntary disclosures concerning information security. MIS Quarterly 34 (3), 567-594.
Gupta, M., Rees, J., Chaturvedi, A., Chi, J., 2006. Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decision Support Systems 41 (3), 592-603.
Hellendoorn, H., Thomas, C., 1995. On quality defuzzification – theory and an application example. Bien, Z. and Min K.C. (Eds.), Fuzzy Logic and Its Applications to Engineering, Information Sciences, and Intelligent Systems 16, 167-176, 1995.
Houmb, S.H., Franqueira, V.N.L., Engum E.A., 2010. Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software 83 (9), 1622-1634.
Hovav, A., D’Arcy, J., 2003. The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review 6 (2), 97-121.
Ioannidis, C., Pym, D., Williams, J., 2012. Information security trade-offs and optimal patching policies. European Journal of Operational Research 216 (2), 434-444.
Ishikawa, A., Amagasa, M., Shiga, T., Tomizawa, G., Tatsuta, R., Mieno, H., 1993. The max–min Delphi method and fuzzy Delphi method via fuzzy integration. Fuzzy Sets and Systems, 55 (3), 241-253.
Johnson, C., 2007. Implementation of commonly accepted security configurations for windows operating systems. OMB (Office of Management and Budget) Memo M-07-11.
Kannan, K., Telang, R., 2005. Market for software vulnerabilities? think again. Management Science 51 (5), 726-740.
Kaufmann, A., Gupta, M.M., 1988. Fuzzy Mathematical Models in Engineering and Management Science. Elsevier, New York, NY, USA.
Lai, Y.P., Hsia, P.L., 2007. Using the vulnerability information of computer systems to improve the network security. Computer Communications 30 (9), 2032-2047.
Lee, K.M., Leekwang, H., 1995. Identification of λ-fuzzy measure by genetic algorithms. Fuzzy Sets and Systems 75 (3), 301-309.
Lesk, M., 2011. Cybersecurity and economics. IEEE Security &; Privacy 9 (6), 76-79.
Likert, R., 1932. A technique for the measurement of attitudes. Archives of Psychology 22 (140), 1-55.
Liu, P., Zang, W., Yu, M., 2005. Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security 8 (1), 78-118.
Liu, Q., Zhang, Y., 2011. VRSS: a new system for rating and scoring vulnerabilities. Computer Communications 34 (3), 264-273.
Liu, Q., Zhang, Y., Kong, Y., Wu, Q., 2012. Improving VRSS-based vulnerability prioritization using analytic hierarchy process. Journal of Systems and Software 85 (8), 1699-1708.
Martin, J., 1973. Security, Accuracy, and Privacy in Computer Systems. Prentice Hall, Upper Saddle River, NJ, USA.
Martin, R.A., 2008. Making security measurable and manageable. In: Proceedings of the 2008 IEEE Military Communications Conference.
Mell, P., Scarfone, K., Romanosky, S., 2006. Common vulnerability scoring system. IEEE Security &; Privacy 4 (6), 85-89.
Mell, P., Scarfone, K., 2007. Improving the common vulnerability scoring system. IET Information Security 1 (3), 119-127.
Mell, P., Scarfone, K., Romanosky, S., 2007. A complete guide to the common vulnerability scoring system (CVSS), Version 2.0. Forum of Incident Response and Security Teams (FIRST).
Microsoft, 2010. Statement of health for network access protection (NAP) protocol specification. Microsoft Corporation.
Milian, M., 2011. Sony: hacker stole PlayStation users’ personal info. Cable News Network (CNN), April 26, 2011.
MITRE, 2010a. Common vulnerabilities and exposures (CVE).
MITRE, 2010b, Common weakness enumeration (CWE).
Mookerjee, V., Mookerjee, R., Bensoussan, A., 2011. When hackers talk: managing information security under variable attack rates and knowledge dissemination. Information Systems Research 22 (3), 606-623.
Murofushi, T., Sugeno, M., 1989. An interpretation of fuzzy measures and the Choquet integral as an integral with respect to a fuzzy measure. Fuzzy Sets and Systems 29 (2), 201-227.
NIST, 2009. Recommended security controls for federal information systems and organizations. NIST Special Publication 800-53 Revision 3.
NIST, 2010a. National vulnerability database (NVD), Version 2.2.
NIST, 2010b. National checklist program repository.
NIST, 2010c. Federal desktop core configuration (FDCC).
OWASP, 2010. OWASP top 10-2010. The ten most critical web application security risk.
Parker, D.B., 1981. Computer Security Management. Prentice Hall, Reston, VA, USA.
Patton, R., 2005. Software Testing. Second edition, Sams, Indianapolis, IN, USA.
Pavlou, P.A., Liang, H., Xue, Y., 2007. Understanding and mitigating uncertainty in online exchange relationships: a principal-agent perspective. MIS Quarterly 31 (1), 105-136.
Quinn, S.D., Souppaya, M., Cook, M., Scarfone, K., 2011. National checklist program for IT products - guidelines for checklist users and developers. NIST Special Publication 800-70 Revision 2.
Rahimi, S., Zargham, M., 2013. Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database. IEEE Transactions on Reliability 62 (2), 395-407.
Ramakrishnan, C.R., Sekar, R., 2002. Model based analysis of configuration vulnerabilities. Journal of Computer Security 10 (1-2), 189-209.
Ransbotham, S., Mitra, S., Ramsey, J., 2012. Are markets for vulnerabilities effective? MIS Quarterly 36 (1), 43-64.
Rescorla, E., 2005. Is finding security holes a good idea? IEEE Security &; Privacy 3 (1), 14-19.
Rogers, R.W., 1975. A protection motivation theory of fear appeals and attitude change. Journal of Psychology 91, 93-114.
Rogers, R.W., 1983. Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protection motivation. Social Psychophysiology, 153-176.
Ryu, Y.U., Rhee, H., 2008. Evaluation of intrusion detection systems under a resource constraint. ACM Transactions on Information and System Security 11 (4), Article no. 20.
Saaty, T.L., 1980. The Analytic Hierarchical Process. MicGraw-Hill, New York, NY, USA.
SANS Institute, 2009. Top cyber security risks - vulnerability exploitation trends.
Scarfone, K., Mell, P., 2009. An analysis of CVSS version 2 vulnerability scoring. In: Proceedings of the Third International Symposium on Empirical Software Engineering and Measurement, pp. 516-525.
Shahriari, H.R., Makarem, M.S., Sirjani, M., Jalili, R., Movaghar, A., 2010. Vulnerability analysis of networks to detect multiphase attacks using the actor-based language Rebeca. Computers &; Electrical Engineering 36 (5), 874-885.
Stiemerling, M., Quittek, J., Eggert, L., 2008. NAT and firewall traversal issues of host identity protocol (HIP) communication. RFC (Request for Comments) 5207, IETF (The Internet Engineering Task Force).
Straub, D.W., 1990. Effective IS security: an empirical study. Information Systems Research 1 (3), 255-276.
Straub, D.W., Welke, R.J., 1998. Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441-469.
Sugeno, M., Terano, T., 1977. A model of learning based on fuzzy information. Kybernetes 6 (3), 157-166.
Takeda, E., 1995. Fuzzy Evaluation. in: Asai, K. (Ed.), Fuzzy Systems for Management, First edition, IOS Press, Amsterdam, Netherlands, pp. 43-55.
Telang, R., Wattal, S., 2007. An empirical analysis of software vulnerability announcements on firm stock price. IEEE Transactions on Software Engineering 33 (8), 544-557.
Teng, J.Y., Tzeng, G.H., 1993, Transportation investment project selection with fuzzy multi-objective. Transportation Planning and Technology 17(2), 91-112.
The White House, 1998. The clinton administration’s policy on critical infrastructure protection. Presidential Decision Directive 63, White Paper.
The White House, 2000a. National plan for information systems protection, Version 1.0.
The White House, 2000b. Cyber Security Research and Development Act.
The White House, 2002. E-government act of 2002, title 3 – information security.
Trusted Computing Group, 2009. TCG trusted network connect TNC architecture for interoperability. Specification Version 1.4, Revision 4.
Viduto, V., Maple, C., Huang, W., Lopez-Perez, D., 2012. A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decision Support Systems 53 (3), 599-610.
Vishwanath, A., Herath, T., Chen, R., Wang, J., Rao, H.R., 2011. Why do people get phished? testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems 51 (3), 576–586.
Waltermire, D., Quinn, S.D., Scarfone, K., Halbardier, A., 2011. The technical specification for the security content automation protocol (SCAP): SCAP Version 1.2. NIST Special Publication 800-126 Revision 2.
Wang, X., Golle, P, Jakobsson, M., Tsow, A., 2010a. Deterring voluntary trace disclosure in re-encryption mix-networks. ACM Transactions on Information and System Security 13 (2), Article no. 18.
Wang, J., Xiao, N., Rao, H.R., 2010b. Drivers of information security search behavior: an investigation of network attacks and vulnerability disclosures. ACM Transactions on Management Information Systems 1 (1), Article no. 3.
Weck, M., Klocke, F., Schell, H., Ruenauver, E., 1997. Evaluating alternative production cycles using the extended fuzzy AHP method. European Journal of Operational Research 100 (2), 351-366.
Winston, W.L., 2004. Operations Research: Application and Algorithms. Fourth edition, Brooks/Cole, Belmont, CA, USA.
Woo, S.W., Joh, H.C., Alhazmi, O.H., Malaiya, Y.K., 2011. Modeling vulnerability discovery process in Apache and IIS HTTP servers. Computers &; Security 30 (1), 50-62.
Yayla, A.A., Hu, Q., 2011. The impact of information security events on the stock value of firms: the effect of contingency factors. Journal of Information Technology 26, 60-77.

推文
推薦
引用網址
引用嵌入語法
轉寄

top

:::

相關期刊
相關論文
相關專書
相關著作
熱門點閱

無相關期刊論文

無相關博士論文

無相關書籍

無相關著作

1.	銀髮族休閒運動參與、家庭支持與幸福感關係之研究
2.	觀光吸引力、運動觀光吸引力與重遊意願關係之研究
3.	成敗自我價値後效對大學生憂鬱傾向的效果
4.	人身品牌忠誠與轉換之研究：偶像、消費者與媒體關係之探討
5.	應用智慧型手機的市場反饋數據進行可靠度分析
6.	幸福感及其對健康的可能影響-以廣建理論層面而言
7.	台灣再生能源發展之經濟及系統動態分析
8.	考量控制措施間相互影響性之資訊安全風險評鑑
9.	心情對消費者多樣化選擇的影響
10.	員工協助方案與社會支持對員工困擾事件與幸福感的干擾效果研究
11.	產品外部線索對消費者知覺之影響-來源國形象、價格與品牌之ㄧ致性
12.	台灣經驗保險需求，金融發展與經濟成長的關係
13.	以TRIZ方法探討數位有線電視的定價策略
14.	線上消費者購物行為及推薦策略研究
15.	大學生困擾揭露、非社會支持反應與焦慮及憂鬱之關係研究

QR Code

臺灣人文及社會科學引文索引資料庫系統

詳目顯示

臺灣人文及社會科學引文索引資料庫