基于自适应专家权重的信息系统风险评估模型

摘要/Abstract

摘要： 针对风险评估过程中存在专家权重难以合理设置，评估结果受专家主观性影响大等问题，提出一种基于自适应专家权重的信息系统风险评估模型SAEW-ISRA，给出一种细粒度专家权重自适应调整方法。首先，在评估过程中引入三角模糊数对风险指标属性评分；其次，根据专家评分模糊度描述专家知识量，结合与专家群体评分的距离构建后验权重，可使专家权重自适应调整，同时使用模糊层次分析法构建风险指标权重；然后，提出信息系统风险指标危险度量化方法，可计算风险值；最后，通过某信息系统的风险评估实例验证所提方法能达到更高的评估准确性，同时在一定程度上解决了评估过程中权重不合理问题。

关键词: 信息系统, 风险评估, 专家权重, 三角模糊数, 模糊层次分析法

Abstract: Aiming to the problems that it is difficult to set the expert weight reasonably and the assessment result is greatly affected by the subjectivity of experts in the process of risk assessment, an information system risk assessment model SAEW-ISRA based on self-adaptive expert weight is proposed， and an adaptive adjustment method of fine-grained expert weight is presented. Firstly, triangular fuzzy number is introduced to score the attribute of risk indicators in the process of assessment. Secondly, the level of expert’s knowledge is described according to the fuzziness of expert score, and the posterior weight is constructed according to the distance from the average score of expert group, making the expert’s weight be adjusted adaptively; At the same time, the fuzzy analytic hierarchy process is used to construct the weight of risk indicators. Then, a risk quantification method of information system risk indicators is proposed, which can calculate the risk value. Finally, through an example of risk assessment of an information system, it is verified that the proposed method can achieve higher evaluation accuracy, and solve the problem of unreasonable weight in the evaluation process to a certain extent.

Key words: information system, risk assessment, expert weight, triangular fuzzy number, fuzzy analytic hierarchy process

卢赛, 庄毅. 基于自适应专家权重的信息系统风险评估模型[J]. 计算机与现代化, 2021, 0(08): 85-93.

LU Sai, ZHUANG Yi. Information System Risk Assessment Model Based on Self-Adaptive Expert Weight[J]. Computer and Modernization, 2021, 0(08): 85-93.

参考文献［32］

［1］	EHRENFELD J M. Wannacry, cybersecurity and health information technology: A time to act［J］. Journal of Medical Systems, 2017,41(7):104.
［2］	Kaspersky Website. Kaspersky Security Bulletin 2019. Statistics［EB/OL］. （2019-12-12)［2020-11-01］. https://securelist. com/kaspersky-security-bulletin-2019-statistics/95475/.
［3］	WANGEN G B. Information security risk assessment: A method comparison［J］. Computer, 2017,50(4):52-61.
［4］	冯登国,张阳,张玉清. 信息安全风险评估综述［J］. 通信学报, 2004,25(7):10-18.
［5］	HE M X, AN X. Information security risk assessment based on analytic hierarchy process［J］. Indonesian Journal of Electrical Engineering and Computer Science, 2016,1(3):656-664.
［6］	WANG H, CHEN Z F, FENG X, et al. Research on network security situation assessment and quantification method based on analytic hierarchy process［J］. Wireless Personal Communications, 2018,102(2):1401-1420.
［7］	TAO L L, LIN H, SHEN Y J, et al. Optimal combination between subjective weighting and objective weighting based on maximum square sum of distance for information security risk assessment［C］// 2016 7th IEEE International Conference on Software Engineering and Service Science (ICSESS). 2016:471-474.
［8］	KOKANGUL A, POLAT U, DAGSUYU C. A new approximation for risk assessment using the AHP and Fine Kinney methodologies［J］. Safety Science, 2017,91:24-32.
［9］	彭道刚,卫涛,赵慧荣,等. 基于D-AHP和TOPSIS的火电厂控制系统信息安全风险评估［J］. 控制与决策, 2019,34(11):2445-2451.
［10］	LI W M, LIANG Y, WANG W Y, et al. Research on security risk assessment based on the improved FAHP［J］. IOP Conference Series: Materials Science and Engineering, 2020,719(1):012008.
［11］	HUANG X P, XU W. Method of information security risk assessment based on improved fuzzy theory of evidence［J］. International Journal of Online and Biomedical Engineering (iJOE), 2018,14(3):188-196.
［12］	WU X Q, SHEN Y J, ZHANG G D, et al. Information security risk assessment based on DS evidence theory and improved TOPSIS［C］// 2016 7th IEEE International Conference on Software Engineering and Service Science. 2016:153-156.
［13］	WANG D Q, LU Y M, GAN J F. An information security evaluation method based on entropy theory and improved TOPSIS［C］// 2017 IEEE 2nd International Conference on Data Science in Cyberspace. 2017:595-600.
［14］	弭乾坤,吴斌,杜宁,等. 基于不完全信息博弈模型的信息系统安全风险评估方法［J］. 计算机与现代化, 2019(4):118-126.
［15］	LUO H S, SHEN Y J, ZHANG G D, et al. Information security risk assessment based on two stages decision model with grey synthetic measure［C］// 2015 6th IEEE International Conference on Software Engineering and Service Science. 2015:795-798.
［16］	高志方,盛冠帅,彭定洪. 妥协率法在信息安全风险评估中的应用［J］. 计算机工程与应用, 2017,53(23):82-87.
［17］	DUAN Y C, CAI Y H, WANG Z K, et al. A novel network security risk assessment approach by combining subjective and objective weights under uncertainty［J］. Applied Sciences, 2018,8(3):428.
［18］	YU J J, HU M, WANG P. Evaluation and reliability analysis of network security risk factors based on DS evidence theory［J］. Journal of Intelligent & Fuzzy Systems, 2018,34(2):861-869.
［19］	HAMID T, AL-JUMEILY D, HUSSAIN A, et al. Cyber security risk evaluation research based on entropy weight method［C］// 2016 9th International Conference on Developments in eSystems Engineering. 2016:98-104.
［20］	XIE H Y, WANG Y, ZHANG X H, et al. The study of information security risk assessment based on support vector machine［J］. MATEC Web of Conferences, 2018,232:01043.
［21］	GAO Y Y, SHEN Y J, ZHANG G D, et al. Information security risk assessment model based on optimized support vector machine with artificial fish swarm algorithm［C］// 2015 6th IEEE International Conference on Software Engineering and Service Science. 2015:599-602.
［22］	WANG J, FAN K F, MO W, et al. A method for information security risk assessment based on the dynamic Bayesian network［C］// International Conference on Networking & Network Applications. 2016:279-283.
［23］	SU C M, LI Y G, MAO W, et al. Information network risk assessment based on AHP and neural network［C］// 2018 10th International Conference on Communication Software and Networks. 2018:227-231.
［24］	SONG Y Q, SHEN Y J, ZHANG G D, et al. The information security risk assessment model based on GA-BP［C］// 2016 7th IEEE International Conference on Software Engineering and Service Science. 2016.
［25］	李森宇,毕方明,刘晋,等. ICS-BPNN在信息安全风险评估中的应用［J］. 中国科技论文, 2018,13(2):171-175.
［26］	DONG G S, LI W C, WANG S W, et al. The assessment method of network security situation based on improved BP neural network［C］// International Conference on Computer Engineering and Networks. 2018:67-76.
［27］	HU J J, GUO S S, KUANG X H, et al. I-HMM-based multidimensional network security risk assessment［J］. IEEE Access, 2019,8:1431-1442.
［28］	VAN LAARHOVEN P J M, PEDRYCZ W. A fuzzy extension of Saaty’s priority theory［J］. Fuzzy Sets and Systems 1983,11(1):199-227.
［29］	LIOU T S, WANG M J J. Ranking fuzzy numbers with integral value［J］. Fuzzy Sets and Systems, 1992,50(3):247-255.
［30］	张吉军. 模糊层次分析法(FAHP)［J］. 模糊系统与数学, 2000,14(2):80-88.
［31］	阮民荣,王玉燕. 基于模糊一致判断矩阵排序方法的比较［J］. 统计与决策, 2006(23):16-17.
［32］	ZHI H, ZHANG G D, LIU Y Q, et al. A novel risk assessment model on software system combining modified fuzzy entropy-weight and AHP［C］// 2017 8th IEEE International Conference on Software Engineering and Service Science. 2017:451-545.

[1]	王杰, 徐祥, 罗晓丹, 张萌, 黄澈, 洪冠中, 汪翔. 基于集成学习的巢湖面雨量计算方法[J]. 计算机与现代化, 2023, 0(09): 38-43.
[2]	王晓宇, 孙卡. 基于osgEarth的三维虚拟校园可视化[J]. 计算机与现代化, 2020, 0(11): 89-93.
[3]	崔雯迪, 段鹏飞, 朱红强, 刘娜. 攻击图与HMM工业控制网络安全风险评估[J]. 计算机与现代化, 2020, 0(07): 32-37.
[4]	叶茜1,王玉斐2,傅毅3,唐玉兰1 . 基于GQM模型的工业控制系统风险评估方法[J]. 计算机与现代化, 2019, 0(08): 92-.
[5]	代永强，王联国. 城市表层土壤重金属污染评价[J]. 计算机与现代化, 2019, 0(08): 105-.
[6]	弭乾坤1，吴斌2，杜宁1，秦晰1. 基于不完全信息博弈模型的信息系统安全风险评估方法[J]. 计算机与现代化, 2019, 0(04): 118-.
[7]	袁捷，张民磊. 基于SDN的电力信息系统故障恢复机制研究[J]. 计算机与现代化, 2018, 0(11): 7-.
[8]	黄玉洁，唐作其. 基于改进贝叶斯模型的信息安全风险评估[J]. 计算机与现代化, 2018, 0(04): 95-.
[9]	李艳玲1，吴建伟1，朱烨行2. 基于判断矩阵一致性程度的专家权重确定方法[J]. 计算机与现代化, 2017, 0(6): 20-24+29.
[10]	江华，徐国春，杨菁. 国有土地上房屋征收与补偿信息系统设计与实现[J]. 计算机与现代化, 2017, 0(5): 109-112.
[11]	马佳艳,王萍,申红伟. 基于中间件的竞赛数据分发系统设计[J]. 计算机与现代化, 2017, 0(12): 94-97.
[12]	孙小军. 模糊权值网络最小生成树问题的矩阵算法[J]. 计算机与现代化, 2016, 0(9): 21-24.
[13]	于跃洋,苗虹,葛世伦,王念新. 使用关联的企业信息系统菜单优化方法[J]. 计算机与现代化, 2016, 0(11): 99-103.
[14]	屈众，蒋少华，周彪. 女村官信息支持网络系统[J]. 计算机与现代化, 2016, 0(1): 12-15.
[15]	任佳佳，王念新，葛世伦. 企业信息系统用户行为统计特性及其动力学分析[J]. 计算机与现代化, 2015, 0(9): 6-12.