CN113553583A - Information system asset security risk assessment method and device - Google Patents

Information system asset security risk assessment method and device Download PDF

Info

Publication number
CN113553583A
CN113553583A CN202110858954.6A CN202110858954A CN113553583A CN 113553583 A CN113553583 A CN 113553583A CN 202110858954 A CN202110858954 A CN 202110858954A CN 113553583 A CN113553583 A CN 113553583A
Authority
CN
China
Prior art keywords
asset
risk
value
threat
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110858954.6A
Other languages
Chinese (zh)
Inventor
梁段
樊凯
刘祥
冯国聪
杨逸岳
林少广
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Southern Power Grid Digital Power Grid Group Information Communication Technology Co ltd
China Southern Power Grid Co Ltd
Original Assignee
China Southern Power Grid Co Ltd
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Southern Power Grid Co Ltd, Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical China Southern Power Grid Co Ltd
Priority to CN202110858954.6A priority Critical patent/CN113553583A/en
Publication of CN113553583A publication Critical patent/CN113553583A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/16Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/18Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Optimization (AREA)
  • Computer Hardware Design (AREA)
  • Computational Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Algebra (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Operations Research (AREA)
  • Probability & Statistics with Applications (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application relates to an asset security risk assessment method and device for an information system, computer equipment and a storage medium, asset security risk data in the whole security domain are obtained, the data are analyzed to obtain corresponding risk possibility and influence, a risk matrix is constructed based on the risk possibility and the influence, and then asset security risk assessment is carried out according to the risk matrix. In the whole process, the risk possibility and the influence of the asset safety risk data in the whole safety domain are automatically acquired and analyzed, multiple items of data do not need to be manually acquired and input, the asset safety risk assessment is carried out by the constructed risk matrix, the influence of manual experience and subjective consciousness on the final risk assessment is reduced, and the accuracy of the risk assessment is improved.

Description

Information system asset security risk assessment method and device
Technical Field
The present application relates to the field of risk assessment technologies, and in particular, to a method and an apparatus for assessing asset security risk of an information system, a computer device, and a storage medium.
Background
With the development of computer technology and internet technology, more and more services support online handling and online control, and great convenience is brought to people.
However, the online transaction and management of the business are easy to be counterfeited or deceived, even under external attack, which brings great risk to the asset security corresponding to the business. How to perform security risk assessment on assets to identify services which may have risks or have higher risks is a difficult problem to be solved urgently. Most of the existing security risk assessment methods are based on manual judgment of various parameters obtained by experienced personnel through a computer, the assessment personnel need to operate the computer for multiple times to read data of different types and different types, and the multiple operation of the computer inevitably needs more operation time, so that the risk assessment efficiency is low.
Therefore, the conventional security risk assessment scheme has the defect of low efficiency.
Disclosure of Invention
In view of the above, there is a need to provide an efficient information system asset security risk assessment method, apparatus, computer device and storage medium for solving the above technical problems.
An information system asset security risk assessment method is characterized by comprising the following steps:
acquiring asset safety risk data in a safety domain;
analyzing asset safety risk data, and acquiring the risk possibility and influence of the asset;
constructing a risk matrix according to the risk possibility and the influence of the assets;
and carrying out asset safety risk assessment according to the risk matrix.
In one embodiment, performing asset security risk assessment according to a risk matrix comprises:
according to the risk matrix, obtaining value dimension data, fragile dimension data and threat dimension data corresponding to the assets;
calculating an asset security risk value according to value dimension data, fragile dimension data and threat dimension data corresponding to the asset;
and carrying out asset safety risk assessment according to the asset safety risk value.
In one embodiment, calculating the asset security risk value according to the value dimension data, the vulnerability dimension data and the threat dimension data corresponding to the asset comprises:
analyzing and acquiring a value grade, a weak point value, a threat severity grade and a threat frequency corresponding to the asset according to the value dimension data, the weak dimension data and the threat dimension data corresponding to the asset;
and calculating the product of the value grade, the weak point value, the threat severity grade and the threat frequency corresponding to the asset to obtain the asset security risk value.
In one embodiment, the above method for evaluating asset security risk of an information system further includes:
acquiring a preset value grade division table;
and obtaining the value grade corresponding to the asset according to the preset value grade division table and the value corresponding to the asset.
In one embodiment, the above method for evaluating asset security risk of an information system further includes:
according to the vulnerability corresponding to the asset, extracting the total vulnerability number of the asset and the severity level of each vulnerability, and counting the vulnerability number corresponding to the vulnerability severity level;
and calculating a weighted average value of the vulnerability severity levels to obtain a vulnerability value, wherein the weighted value of the vulnerability severity levels is positively correlated with the number of vulnerabilities corresponding to the vulnerability severity levels.
In one embodiment, the above method for evaluating asset security risk of an information system further includes:
extracting the total number of threats of the assets and the threat influence level corresponding to each threat according to the threats corresponding to the assets, and counting the number of threats corresponding to each threat influence level;
and calculating a weighted average value of the threat influence levels to obtain a threat severity level, wherein the weighted value of the threat influence levels is positively correlated with the number of threats corresponding to the threat influence levels.
In one embodiment, after the asset security risk assessment is performed according to the risk matrix, the method further includes:
importing the asset risk assessment result into a preset risk assessment report template to generate a risk assessment report;
and pushing a risk assessment report.
An information system asset security risk assessment device, the device comprising:
the data acquisition module is used for acquiring asset safety risk data in a safety domain;
the analysis module is used for analyzing the asset security risk data and acquiring the risk possibility and the influence of the asset;
the matrix construction module is used for constructing a risk matrix according to the risk possibility and the influence of the assets;
and the evaluation module is used for carrying out asset safety risk evaluation according to the risk matrix.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
acquiring asset safety risk data in a safety domain;
analyzing asset safety risk data, and acquiring the risk possibility and influence of the asset;
constructing a risk matrix according to the risk possibility and the influence of the assets;
and carrying out asset safety risk assessment according to the risk matrix.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
acquiring asset safety risk data in a safety domain;
analyzing asset safety risk data, and acquiring the risk possibility and influence of the asset;
constructing a risk matrix according to the risk possibility and the influence of the assets;
and carrying out asset safety risk assessment according to the risk matrix.
According to the asset security risk assessment method, device, computer equipment and storage medium of the information system, asset security risk data in the whole security domain are obtained, the data are analyzed to obtain corresponding risk possibility and influence, a risk matrix is constructed based on the risk possibility and the influence, and then asset security risk assessment is carried out according to the risk matrix. In the whole process, the risk possibility and the influence of the asset safety risk data in the whole safety domain are automatically acquired and analyzed, multiple items of data do not need to be manually acquired and input, the asset safety risk assessment is carried out by the constructed risk matrix, the influence of manual experience and subjective consciousness on the final risk assessment is reduced, and the accuracy of the risk assessment is improved.
Drawings
FIG. 1 is a diagram of an environment in which a method for assessing information system asset security risk is applied in one embodiment;
FIG. 2 is a schematic flow chart diagram of a method for information system asset security risk assessment in one embodiment;
FIG. 3 is a schematic flow chart of a method for assessing information system asset security risk in another embodiment;
FIG. 4 is a block diagram of an information system asset security risk assessment device in one embodiment;
FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The information system asset security risk assessment method provided by the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. A plurality of terminals 102 and a server 104 are based on the same security protection requirement and mutually trusted logic areas. The server 104 acquires asset security risk data of the whole security domain in the operation process; analyzing asset safety risk data, and acquiring the risk possibility and influence of the asset; constructing a risk matrix according to the risk possibility and the influence of the assets; and carrying out asset safety risk assessment according to the risk matrix. The server 104 may send the security risk assessment results to the administrator terminal or push them directly to the administrator. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 104 may be implemented by an independent server or a server cluster formed by a plurality of servers.
In practical applications, after the complete asset table is formed by completing the identification of assets, in order to clearly protect the assets and to subsequently calculate the risk values, it is necessary to evaluate the value of the assets, and the value size not only takes into account the value itself but also the relevance of the business and the potential value under certain conditions. Asset value is often measured in terms of potential business impact generated when security events occur that result in loss of asset confidentiality, integrity and availability and thus loss of corporate funds, market share, corporate image. For consistency and accuracy of asset valuation, a set of valuation criteria for asset value is established, and a value can be assigned to each asset and to each possible loss, such as loss of confidentiality, integrity and availability. However, it is difficult to assign value to assets in an accurate manner, and generally, the value of the assets is divided into different grades according to the value evaluation standard of the assets in a qualitative manner, and after the assets are identified and valued, an organization further determines the key assets to be protected according to the value of the assets. In the evaluation process, in order to ensure that no asset is ignored or leaked, the information security system range should be determined firstly, the simplest way of evaluating the asset by establishing the evaluation boundary of the asset is to list all assets with values in the security management system range in the business organization process, then a certain value is given to the asset, the value reflects the importance of the asset on business organization operation, and the value is expressed by the potential influence degree on the business. For example, the greater the asset value, the greater the potential impact on the organizational business due to security events such as leaks, modifications, damage, unavailability, etc. The identification and valuation of assets based on the needs of an organization business is an important step in establishing an information security system and determining risks.
Based on the above technical background, the present application provides an information system asset security risk assessment method as shown in fig. 2, which is described by taking the application of the method to the server in fig. 1 as an example, and includes the following steps:
s200: asset security risk data within a secure domain is obtained.
A security domain is a logical area consisting of a set of systems with the same security protection requirements and trust each other. The security domain can specifically adopt a multi-level tree type security domain structure, so that the complex organization architecture and network architecture of a user can be supported conveniently. The security domain also supports operations of adding, editing and deleting; assets can be moved in and out of the secure domain in batches. Asset security risk data includes risk data for asset CIA (confidentiality, integrity, availability) attributes, security events, vulnerabilities. These data are recorded throughout the normal operation of the secure domain and can be extracted from the log of the system in the secure domain.
S400: and analyzing the asset safety risk data, and acquiring the risk possibility and the influence of the asset.
The asset security risk data in the security domain are analyzed, the value, the weakness, the risk value, the threat value and the risk trend of the asset can be analyzed for statistical analysis, and then parameters of the asset in two aspects of risk possibility and influence are obtained by adopting a built-in risk calculation model. The built-in risk calculation model may employ a conventional risk assessment model. The risk possibility mainly comprises the possibility of occurrence of a security event, the possibility of bringing risks to the system in the whole security domain after the security event occurs, and the like, and is mainly obtained by analyzing the risk value, the weakness, the risk trend and the like of the asset. The influential effect mainly refers to the influence on the whole security domain after a security event occurs, and is mainly obtained by analyzing the value, the weakness, the threat value, the risk trend and the like of the asset. Optionally, the risk calculation model may be used to periodically calculate the risk potential and impact of the asset based on the asset security risk data.
S600: and constructing a risk matrix according to the risk possibility and the influence of the assets.
A risk matrix is constructed by the risk potential and impact of the asset. It is understood that asset risk of the networking system (including terminals and servers) within the current security domain can be characterized by the risk matrix.
S800: and carrying out asset safety risk assessment according to the risk matrix.
And after S600, obtaining a risk matrix, namely collecting and organizing data of multiple dimensions into specific data in a matrix form, and further calculating to obtain an asset security risk assessment result of the information system on the basis of the risk matrix. And if not, specifically calculating an asset security risk value through a built-in risk calculation model, and obtaining a specific risk level as a final asset security risk assessment result based on the risk value and a preset risk value-risk level corresponding relation.
According to the asset security risk assessment method for the information system, asset security risk data in the whole security domain are obtained, the data are analyzed to obtain corresponding risk possibility and influence, a risk matrix is constructed based on the risk possibility and the influence, and then asset security risk assessment is carried out according to the risk matrix. In the whole process, the risk possibility and the influence of the asset safety risk data in the whole safety domain are automatically acquired and analyzed, multiple items of data do not need to be manually acquired and input, the asset safety risk assessment is carried out by the constructed risk matrix, the influence of manual experience and subjective consciousness on the final risk assessment is reduced, and the accuracy of the risk assessment is improved.
As shown in fig. 3, in one embodiment, S800 includes:
s820: according to the risk matrix, obtaining value dimension data, fragile dimension data and threat dimension data corresponding to the assets;
s840: calculating an asset security risk value according to value dimension data, fragile dimension data and threat dimension data corresponding to the asset;
s860: and carrying out asset safety risk assessment according to the asset safety risk value.
And (4) stripping and analyzing data of the value, the fragility and the threat dimension corresponding to the assets according to the risk matrix. The value refers to a value amount corresponding to the asset, and it can be understood that the greater the value amount is, the greater the sensitivity of the value amount to risks is, that is, the greater the level of protection is required to be. The value dimension data may be specific value data or a value level. The fragile dimensional data refers to the defense of the information system against attacks and dangerous events and the situation of loss in suffering from dangerous events. Threat dimension data refers to the degree of security threat to the entire information system upon the occurrence of a security event. Threat dimension data may be characterized by threat severity (threat level) and threat frequency. An asset security risk value is computed from the value dimension, the vulnerability dimension, and the threat dimension triggers. And if not, calculating the safety risk value of the asset according to the value dimension data, the vulnerability dimension data and the threat dimension data corresponding to the asset by using the risk calculation model. And (3) performing asset safety risk assessment by taking the asset safety risk value as an assessment basis, specifically, grading based on the asset safety risk value to finally obtain asset right risk assessment grades, wherein the grades specifically comprise 5 grades including extremely high, medium and low, and qualitatively assess the asset safety risk of the information system.
In order to further describe the content of the asset security risk assessment of the information system of the present application in detail, a description will be made below for the value dimension data, the vulnerability dimension data, and the threat dimension data, respectively.
Value dimension: the asset value may be divided into 5 levels (as shown in table 1 below in particular), with each level corresponding to a respective score. Wherein, the levels 1, 3 and 5 are use levels, the levels 2 and 4 are reserved levels, the grading result can be protected according to the security level of the information system, and the user can define the asset value in the configuration interface according to the security level.
Table 1 shows the correspondence table of asset value assignments
Figure BDA0003185060660000071
The vulnerability dimension: the vulnerability dimension data can be vulnerability grades, the vulnerability grades can be divided into 5 grades in total, namely, the high grade, the medium grade, the low grade and the medium grade, and the high grade means that if the vulnerability is utilized by a threat, the asset is damaged completely; high means that if utilized by a threat, significant damage will be done to the asset; medium refers to general damage to the asset if utilized by a threat; medium-low means that if utilized by a threat, the asset will be less damaged; low means that if utilized by a threat, the damage that would be done to the asset is negligible. The vulnerability rank and definition in the vulnerability dimension data can be seen in table 2 below.
Table 2 is a table of vulnerability severity
Figure BDA0003185060660000072
Figure BDA0003185060660000081
The threat dimension mainly includes two aspects of threat types and threat frequency, the threat types can be roughly divided into hardware types (caused by constituting hardware in the information system) and software types (caused by software installed in the information system), and specific threat classifications can be seen in the following table 3.
TABLE 3 threat Classification sheet
Figure BDA0003185060660000082
Figure BDA0003185060660000091
Figure BDA0003185060660000101
In one embodiment, calculating the asset security risk value according to the value dimension data, the vulnerability dimension data and the threat dimension data corresponding to the asset comprises: analyzing and acquiring a value grade, a weak point value, a threat severity grade and a threat frequency corresponding to the asset according to the value dimension data, the weak dimension data and the threat dimension data corresponding to the asset; and calculating the product of the value grade, the weak point value, the threat severity grade and the threat frequency corresponding to the asset to obtain the asset security risk value.
The detailed contents of the value dimension, the vulnerability dimension and the threat dimension are described in detail in the above, and are not repeated herein. Analyzing and proposing corresponding value grade, weak point value, threat severity grade and threat frequency from the three dimensional data, wherein the medium grade and the threat severity grade can be divided and set based on a preset corresponding grade division table to obtain the score of the corresponding grade, the weak point value and the threat frequency can obtain specific quantity in a statistical analysis mode, and the asset safety risk value is calculated and obtained based on the 4 values. Specifically, the product of the 4 values can be calculated through a preset risk calculation model to obtain an asset safety risk value.
In one embodiment, the above method for evaluating asset security risk of an information system further includes:
acquiring a preset value grade division table; and obtaining the value grade corresponding to the asset according to the preset value grade division table and the value corresponding to the asset.
The preset value ranking list is a preset table, and the asset value ranking list is shown in table 1 above. And dividing the value grades corresponding to the assets in a preset value grade division table form.
In one embodiment, the above method for evaluating asset security risk of an information system further includes:
according to the vulnerability corresponding to the asset, extracting the total vulnerability number of the asset and the severity level of each vulnerability, and counting the vulnerability number corresponding to the vulnerability severity level; and calculating a weighted average value of the vulnerability severity levels to obtain a vulnerability value, wherein the weighted value of the vulnerability severity levels is positively correlated with the number of vulnerabilities corresponding to the vulnerability severity levels.
For the vulnerability, the vulnerability severity rating is as shown in table 2 above. The total vulnerability number of the asset and the severity level of each vulnerability are obtained by adopting a statistical analysis mode, a final vulnerability value is obtained by adopting a weighting calculation mode, and the weighting value of the vulnerability severity is positively correlated with the corresponding vulnerability number in the weighting calculation process. Specifically, the following equation is shown:
Figure BDA0003185060660000111
wherein N is the total vulnerability of the assets and the Severity grade of the Severity vulnerability of the security, the value range is 1-5, and NiThe number of vulnerabilities for each severity level. The calculation of the vulnerability value is a weighted average of the vulnerability severity levels. If the asset does not introduce over-vulnerability, the vulnerability is 1 in severity.
In one embodiment, the above method for evaluating asset security risk of an information system further includes:
extracting the total number of threats of the assets and the threat influence level corresponding to each threat according to the threats corresponding to the assets, and counting the number of threats corresponding to each threat influence level; and calculating a weighted average value of the threat influence levels to obtain a threat severity level, wherein the weighted value of the threat influence levels is positively correlated with the number of threats corresponding to the threat influence levels.
The total number of threats of the assets and the threat influence level of each threat are obtained by adopting a statistical analysis mode, the threat severity level is obtained by adopting a weighted calculation mode, and the weighted value of the threat influence level is positively correlated with the corresponding threat number in the weighted calculation process. Specifically, the following equation is shown:
Figure BDA0003185060660000112
wherein M is the total threat number of the assets, Impact is the influence level of the threat, the value range is 1-5, and M isiThe number of threats for each impact level. The calculation of threat severity is a weighted average of threat impact levels.
In one embodiment, after the asset security risk assessment is performed according to the risk matrix, the method further includes:
importing the asset risk assessment result into a preset risk assessment report template to generate a risk assessment report; and pushing a risk assessment report.
And aiming at the finally obtained asset risk assessment result, the finally obtained asset risk assessment result can be imported into a preset risk assessment report template, and the final result is displayed to a manager in a report template mode.
It should be understood that, although the steps in the flowcharts are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in each of the flowcharts described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
As shown in fig. 4, the present application further provides an information system asset security risk assessment apparatus, which includes:
a data obtaining module 200, configured to obtain asset security risk data in a security domain;
an analysis module 400, configured to analyze asset security risk data and obtain risk probability and influence of an asset;
a matrix construction module 600 for constructing a risk matrix according to the risk potential and impact of the asset;
and the evaluation module 800 is used for performing asset security risk evaluation according to the risk matrix.
The asset safety risk assessment device of the information system acquires asset safety risk data in the whole safety domain, analyzes the data to acquire corresponding risk possibility and influence, constructs a risk matrix based on the risk possibility and the influence, and then performs asset safety risk assessment according to the risk matrix. In the whole process, the risk possibility and the influence of the asset safety risk data in the whole safety domain are automatically acquired and analyzed, multiple items of data do not need to be manually acquired and input, the asset safety risk assessment is carried out by the constructed risk matrix, the influence of manual experience and subjective consciousness on the final risk assessment is reduced, and the accuracy of the risk assessment is improved.
In one embodiment, the evaluation module 800 is further configured to obtain value dimension data, vulnerability dimension data, and threat dimension data corresponding to the asset according to the risk matrix; calculating an asset security risk value according to value dimension data, fragile dimension data and threat dimension data corresponding to the asset; and carrying out asset safety risk assessment according to the asset safety risk value.
In one embodiment, the evaluation module 800 is further configured to analyze and obtain a value grade, a weak point value, a threat severity grade, and a threat frequency corresponding to the asset according to the value dimension data, the weak dimension data, and the threat dimension data corresponding to the asset; and calculating the product of the value grade, the weak point value, the threat severity grade and the threat frequency corresponding to the asset to obtain the asset security risk value.
In one embodiment, the evaluation module 800 is further configured to obtain a preset value grade division table; and obtaining the value grade corresponding to the asset according to the preset value grade division table and the value corresponding to the asset.
In one embodiment, the assessment module 800 is further configured to extract the total number of vulnerabilities of the asset and the severity level of each vulnerability according to the vulnerability corresponding to the asset, and count the number of vulnerabilities corresponding to the vulnerability severity level; and calculating a weighted average value of the vulnerability severity levels to obtain a vulnerability value, wherein the weighted value of the vulnerability severity levels is positively correlated with the number of vulnerabilities corresponding to the vulnerability severity levels.
In one embodiment, the evaluation module 800 is further configured to extract, according to the threats corresponding to the assets, the total number of threats of the assets and the threat influence level corresponding to each threat, and count the number of threats corresponding to each threat influence level; and calculating a weighted average value of the threat influence levels to obtain a threat severity level, wherein the weighted value of the threat influence levels is positively correlated with the number of threats corresponding to the threat influence levels.
In one embodiment, the asset security risk assessment device of the information system further includes a pushing module, configured to import an asset risk assessment result into a preset risk assessment report template, and generate a risk assessment report; and pushing a risk assessment report.
For specific limitations of the information system asset security risk assessment device, reference may be made to the above limitations of the information system asset security risk assessment method, which are not described herein again. The modules in the information system asset security risk assessment device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for storing data such as a preset division table, a built-in risk calculation model and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement an information system asset security risk assessment device method.
Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
acquiring asset safety risk data in a safety domain;
analyzing asset safety risk data, and acquiring the risk possibility and influence of the asset;
constructing a risk matrix according to the risk possibility and the influence of the assets;
and carrying out asset safety risk assessment according to the risk matrix.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
according to the risk matrix, obtaining value dimension data, fragile dimension data and threat dimension data corresponding to the assets; calculating an asset security risk value according to value dimension data, fragile dimension data and threat dimension data corresponding to the asset; and carrying out asset safety risk assessment according to the asset safety risk value.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
analyzing and acquiring a value grade, a weak point value, a threat severity grade and a threat frequency corresponding to the asset according to the value dimension data, the weak dimension data and the threat dimension data corresponding to the asset; and calculating the product of the value grade, the weak point value, the threat severity grade and the threat frequency corresponding to the asset to obtain the asset security risk value.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring a preset value grade division table; and obtaining the value grade corresponding to the asset according to the preset value grade division table and the value corresponding to the asset.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
according to the vulnerability corresponding to the asset, extracting the total vulnerability number of the asset and the severity level of each vulnerability, and counting the vulnerability number corresponding to the vulnerability severity level; and calculating a weighted average value of the vulnerability severity levels to obtain a vulnerability value, wherein the weighted value of the vulnerability severity levels is positively correlated with the number of vulnerabilities corresponding to the vulnerability severity levels.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
extracting the total number of threats of the assets and the threat influence level corresponding to each threat according to the threats corresponding to the assets, and counting the number of threats corresponding to each threat influence level; and calculating a weighted average value of the threat influence levels to obtain a threat severity level, wherein the weighted value of the threat influence levels is positively correlated with the number of threats corresponding to the threat influence levels.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
importing the asset risk assessment result into a preset risk assessment report template to generate a risk assessment report; and pushing a risk assessment report.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring asset safety risk data in a safety domain;
analyzing asset safety risk data, and acquiring the risk possibility and influence of the asset;
constructing a risk matrix according to the risk possibility and the influence of the assets;
and carrying out asset safety risk assessment according to the risk matrix.
In one embodiment, the computer program when executed by the processor further performs the steps of:
according to the risk matrix, obtaining value dimension data, fragile dimension data and threat dimension data corresponding to the assets; calculating an asset security risk value according to value dimension data, fragile dimension data and threat dimension data corresponding to the asset; and carrying out asset safety risk assessment according to the asset safety risk value.
In one embodiment, the computer program when executed by the processor further performs the steps of:
analyzing and acquiring a value grade, a weak point value, a threat severity grade and a threat frequency corresponding to the asset according to the value dimension data, the weak dimension data and the threat dimension data corresponding to the asset; and calculating the product of the value grade, the weak point value, the threat severity grade and the threat frequency corresponding to the asset to obtain the asset security risk value.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring a preset value grade division table; and obtaining the value grade corresponding to the asset according to the preset value grade division table and the value corresponding to the asset.
In one embodiment, the computer program when executed by the processor further performs the steps of:
according to the vulnerability corresponding to the asset, extracting the total vulnerability number of the asset and the severity level of each vulnerability, and counting the vulnerability number corresponding to the vulnerability severity level; and calculating a weighted average value of the vulnerability severity levels to obtain a vulnerability value, wherein the weighted value of the vulnerability severity levels is positively correlated with the number of vulnerabilities corresponding to the vulnerability severity levels.
In one embodiment, the computer program when executed by the processor further performs the steps of:
extracting the total number of threats of the assets and the threat influence level corresponding to each threat according to the threats corresponding to the assets, and counting the number of threats corresponding to each threat influence level; and calculating a weighted average value of the threat influence levels to obtain a threat severity level, wherein the weighted value of the threat influence levels is positively correlated with the number of threats corresponding to the threat influence levels.
In one embodiment, the computer program when executed by the processor further performs the steps of:
importing the asset risk assessment result into a preset risk assessment report template to generate a risk assessment report; and pushing a risk assessment report.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. An information system asset security risk assessment method, the method comprising:
acquiring asset safety risk data in a safety domain;
analyzing asset safety risk data, and acquiring the risk possibility and influence of the asset;
constructing a risk matrix according to the risk possibility and the influence of the assets;
and carrying out asset safety risk assessment according to the risk matrix.
2. The method of claim 1, wherein said assessing asset security risk according to said risk matrix comprises:
acquiring value dimensional data, fragile dimensional data and threat dimensional data corresponding to the assets according to the risk matrix;
calculating an asset security risk value according to the value dimension data, the fragile dimension data and the threat dimension data corresponding to the asset;
and carrying out asset safety risk assessment according to the asset safety risk value.
3. The method of claim 2, wherein computing an asset security risk value based on the asset's corresponding value dimensional data, vulnerability dimensional data, and threat dimensional data comprises:
analyzing and acquiring a value grade, a weak point value, a threat severity grade and a threat frequency corresponding to the asset according to the value dimension data, the weak dimension data and the threat dimension data corresponding to the asset;
and calculating the product of the value grade, the weak point value, the threat severity grade and the threat frequency corresponding to the asset to obtain the asset security risk value.
4. The method of claim 3, further comprising:
acquiring a preset value grade division table;
and obtaining the value grade corresponding to the asset according to the preset value grade division table and the value corresponding to the asset.
5. The method of claim 3, further comprising:
according to the vulnerability corresponding to the asset, extracting the total vulnerability number of the asset and the severity level of each vulnerability, and counting the vulnerability number corresponding to the vulnerability severity level;
and calculating the weighted average value of the vulnerability severity grade to obtain a vulnerability value, wherein the weighted value of the vulnerability severity grade is positively correlated with the number of vulnerabilities corresponding to the vulnerability severity grade.
6. The method of claim 3, further comprising:
extracting the total number of threats of the assets and the threat influence level corresponding to each threat according to the threats corresponding to the assets, and counting the number of threats corresponding to each threat influence level;
and calculating a weighted average value of the threat influence levels to obtain a threat severity level, wherein the weighted value of the threat influence levels is positively correlated with the number of threats corresponding to the threat influence levels.
7. The method of claim 1, further comprising, after the asset security risk assessment according to the risk matrix:
importing the asset risk assessment result into a preset risk assessment report template to generate a risk assessment report;
and pushing the risk assessment report.
8. An information system asset security risk assessment apparatus, the apparatus comprising:
the data acquisition module is used for acquiring asset safety risk data in a safety domain;
the analysis module is used for analyzing the asset security risk data and acquiring the risk possibility and the influence of the asset;
the matrix construction module is used for constructing a risk matrix according to the risk possibility and the influence of the assets;
and the evaluation module is used for carrying out asset safety risk evaluation according to the risk matrix.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202110858954.6A 2021-07-28 2021-07-28 Information system asset security risk assessment method and device Pending CN113553583A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110858954.6A CN113553583A (en) 2021-07-28 2021-07-28 Information system asset security risk assessment method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110858954.6A CN113553583A (en) 2021-07-28 2021-07-28 Information system asset security risk assessment method and device

Publications (1)

Publication Number Publication Date
CN113553583A true CN113553583A (en) 2021-10-26

Family

ID=78104766

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110858954.6A Pending CN113553583A (en) 2021-07-28 2021-07-28 Information system asset security risk assessment method and device

Country Status (1)

Country Link
CN (1) CN113553583A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070650A (en) * 2022-01-11 2022-02-18 浙江国利网安科技有限公司 Network asset evaluation method and device, electronic equipment and readable storage medium
CN114707599A (en) * 2022-04-01 2022-07-05 北京国信网联科技有限公司 Intelligent classification and grading system for information asset visual management method library
CN116777220A (en) * 2023-07-06 2023-09-19 北京睿智融科控股股份有限公司 Enterprise wind control management method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160004791A (en) * 2014-07-04 2016-01-13 (주)비트러스트 System and method for evaluating risk of information assets
CN105844169A (en) * 2015-01-15 2016-08-10 中国移动通信集团安徽有限公司 Method and device for information safety metrics
CN106790198A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of method for evaluating information system risk and system
CN112508435A (en) * 2020-12-17 2021-03-16 国家工业信息安全发展研究中心 Information system security risk assessment method, device, equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160004791A (en) * 2014-07-04 2016-01-13 (주)비트러스트 System and method for evaluating risk of information assets
CN105844169A (en) * 2015-01-15 2016-08-10 中国移动通信集团安徽有限公司 Method and device for information safety metrics
CN106790198A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of method for evaluating information system risk and system
CN112508435A (en) * 2020-12-17 2021-03-16 国家工业信息安全发展研究中心 Information system security risk assessment method, device, equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
孙大跃,江代有: "《高速公路网络工程技术》", 31 October 2001, 人民交通出版社, pages: 97 - 98 *
黄水清等: "一种内部网络信息安全风险评估模型及技术实现", 《信息系统》, vol. 33, no. 2, 28 February 2010 (2010-02-28), pages 107 - 108 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070650A (en) * 2022-01-11 2022-02-18 浙江国利网安科技有限公司 Network asset evaluation method and device, electronic equipment and readable storage medium
CN114707599A (en) * 2022-04-01 2022-07-05 北京国信网联科技有限公司 Intelligent classification and grading system for information asset visual management method library
CN116777220A (en) * 2023-07-06 2023-09-19 北京睿智融科控股股份有限公司 Enterprise wind control management method and system
CN116777220B (en) * 2023-07-06 2023-12-08 北京睿智融科控股股份有限公司 Enterprise wind control management method and system

Similar Documents

Publication Publication Date Title
CN108876133B (en) Risk assessment processing method, device, server and medium based on business information
US20180137288A1 (en) System and method for modeling security threats to prioritize threat remediation scheduling
CN113553583A (en) Information system asset security risk assessment method and device
JP2017091515A (en) Computer-implemented system and method for automatically identifying attributes for anonymization
CN112508435A (en) Information system security risk assessment method, device, equipment and storage medium
US11386224B2 (en) Method and system for managing personal digital identifiers of a user in a plurality of data elements
CN108876188B (en) Inter-connected service provider risk assessment method and device
CN112132676A (en) Method and device for determining contribution degree of joint training target model and terminal equipment
CN114186275A (en) Privacy protection method and device, computer equipment and storage medium
CN114003920A (en) Security assessment method and device for system data, storage medium and electronic equipment
CN114693192A (en) Wind control decision method and device, computer equipment and storage medium
CN112819611A (en) Fraud identification method, device, electronic equipment and computer-readable storage medium
CN113065748A (en) Business risk assessment method, device, equipment and storage medium
CN116720194A (en) Method and system for evaluating data security risk
CN114817518B (en) License handling method, system and medium based on big data archive identification
US20200021496A1 (en) Method, apparatus, and computer-readable medium for data breach simulation and impact analysis in a computer network
CN115879819A (en) Enterprise credit evaluation method and device
CN115225359A (en) Honeypot data tracing method and device, computer equipment and storage medium
CN113190200B (en) Exhibition data security protection method and device
CN112669039B (en) Knowledge graph-based customer risk management and control system and method
CN114862212A (en) Internet asset management method and device, electronic equipment and storage medium
CN113723522B (en) Abnormal user identification method and device, electronic equipment and storage medium
US20230300163A1 (en) Generalized identity module
Kubigenova et al. Prospects for Information Security in Big Data Technology
KR102471731B1 (en) A method of managing network security for users

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Country or region after: China

Address after: 510000 No. 11 Kexiang Road, Science City, Luogang District, Guangzhou City, Guangdong Province

Applicant after: CHINA SOUTHERN POWER GRID Co.,Ltd.

Applicant after: Southern Power Grid Digital Grid Research Institute Co.,Ltd.

Address before: 510000 No. 11 Kexiang Road, Science City, Luogang District, Guangzhou City, Guangdong Province

Applicant before: CHINA SOUTHERN POWER GRID Co.,Ltd.

Country or region before: China

Applicant before: Southern Power Grid Digital Grid Research Institute Co.,Ltd.

CB02 Change of applicant information
TA01 Transfer of patent application right

Effective date of registration: 20240325

Address after: 510623 No.11 Kexiang Road, Science City, Huangpu District, Guangzhou City, Guangdong Province

Applicant after: CHINA SOUTHERN POWER GRID Co.,Ltd.

Country or region after: China

Applicant after: China Southern Power Grid Digital Power Grid Group Information Communication Technology Co.,Ltd.

Address before: 510000 No. 11 Kexiang Road, Science City, Luogang District, Guangzhou City, Guangdong Province

Applicant before: CHINA SOUTHERN POWER GRID Co.,Ltd.

Country or region before: China

Applicant before: Southern Power Grid Digital Grid Research Institute Co.,Ltd.

TA01 Transfer of patent application right