考量控制措施間相互影響性之資訊安全風險評鑑

Abstract

風險評鑑是資訊安全風險管理中相當重要的過程。組織透過風險評鑑決定出組織資訊系統中的風險，並提供充足的方法來降低這些風險。在實務上，實施在組織的資訊系統上的各個資訊安全控制項目並非是完全獨立的，因此在評估各項目的風險時應該要考量它們之間可能存在的相關性或互相影響。本論文提出一個考量控制措施間相互影響性的混合風險評鑑方法來評估組織資訊系統的風險等級。首先，本研究以決策實驗室 (Decision Making Trial and Evaluation Laboratory, DEMATEL) 分析法來建構出各控制措施類別之間的相互影響性。接著以決策實驗室分析法所建構出的各類別間相互影響的結果做為分析網路程序法(Analytic Network Process, ANP)的分析架構，再決定出風險發生的機率性，藉此本研究可以考量各控制措施群之間的相關性和相互影響性以符合實務上的實際狀況。再者，本研究以模糊語意量子引導熵值最大化之整合權值(Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging , FLQ-MEOWA) 運算法來整合各專家所評估的風險影響值，以減少極端值與主觀因素所產生的影響。最後，本研究將所提出的風險評鑑方法應用於X公司的資訊系統來驗證。藉由此研究實例確認本方法可以找出控制措施間相互影響性，所評估出的風險等級能反映控制措施間相互影響的問題，使得出的風險等級能提供參考作為決定出哪些資訊系統需要更進一步提升其資訊安全防護。

Risk assessment is an important key step of the core process for information security risk management. Organizations use risk assessment to determine the risks within information systems and provide sufficient means to reduce the identified risks. In practical application, security controls applied to the information system areas are not completely independent, therefore during the process of risk assessment it is crucial to consider the interdependences among control families. In this thesis, a hybrid procedure for evaluating and identifying risk levels of information system security while considering interdependences amongst control families is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) method to construct interrelations amongst security control areas. Secondly, using the results from DEMATEL, the Analytic Network Process (ANP) method is used to obtain the likelihood ratings of risks; as a result, the proposed procedure can detect interdependences and feedback between security control families as well as identify priorities of areas requiring security measures in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic opinions. An application in company X was examined to verify the proposed procedure. After analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas as well as identifies information systems with higher risk levels where prioritized safeguard tactics should be considered.