CN116720194A - Method and system for evaluating data security risk - Google Patents
Method and system for evaluating data security risk Download PDFInfo
- Publication number
- CN116720194A CN116720194A CN202310700769.3A CN202310700769A CN116720194A CN 116720194 A CN116720194 A CN 116720194A CN 202310700769 A CN202310700769 A CN 202310700769A CN 116720194 A CN116720194 A CN 116720194A
- Authority
- CN
- China
- Prior art keywords
- data
- occurrence
- data security
- security threat
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000000694 effects Effects 0.000 claims abstract description 57
- 238000011156 evaluation Methods 0.000 claims abstract description 16
- 238000012502 risk assessment Methods 0.000 claims description 26
- 239000011159 matrix material Substances 0.000 claims description 16
- 238000004364 calculation method Methods 0.000 claims description 13
- 230000006378 damage Effects 0.000 claims description 6
- 238000011144 upstream manufacturing Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000013500 data storage Methods 0.000 claims description 3
- 238000000491 multivariate analysis Methods 0.000 abstract 1
- 238000007726 management method Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000013523 data management Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012038 vulnerability analysis Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000000069 prophylactic effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
Abstract
The invention relates to a method and a system for evaluating data security risk, wherein the method comprises the following steps: identifying data assets and data processing activities, and obtaining importance of the data assets; identifying data security threats and judging the occurrence frequency of the data security threats; identifying and analyzing data vulnerability and obtaining a data vulnerability result; acquiring loss caused by occurrence of data security threat and possibility of occurrence of the data security threat based on the importance of the data asset, the occurrence frequency of the data security threat and the data vulnerability result; and calculating based on the loss caused by the occurrence of the data security threat and the possibility of the occurrence of the data security threat, obtaining a comprehensive risk value, and completing the risk evaluation of the data security. The invention surrounds the data security threat and combines the business with the data to realize the multivariate analysis.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method and a system for evaluating data security risks.
Background
Data is one of the most important assets of an enterprise, and the business of the enterprise often involves a large amount of sensitive information and data, such as customer information, business data, financial data, etc., which if revealed or obtained, will cause huge loss to the enterprise, even cause bankruptcy of the enterprise. Therefore, data security is a core issue that must be appreciated in enterprise business operations, and security of digital assets must be ensured to avoid risks of data leakage, theft, or loss. Through the risk assessment activities of data security, threats that may cause data security problems may be identified and prevented.
The existing risk assessment method aims at information security, takes asset identification and vulnerability as cores, and the object of information security risk assessment is an information system; the data has the flowing attribute, the fluidity of the data is the maximum basis for realizing the personalized application of the data, the data is valuable only by being combined with the service, the service attribute needs to be considered in the current evaluation of the data security, and the method is also the reason that the current information security risk evaluation method cannot carry out the data security risk.
In the aspect of data security, telecommunication network and Internet data security evaluation standards are published, the compliance situation of guarantee measures of enterprises in various data processing activities and data bearing system platforms is evaluated, and from the aspects of general management and full life cycle management, important management measures, key technical measures and judgment standards related to each index item are explicitly evaluated, and the compliance guarantee baseline of the evaluated item is definitely determined, but the method for quantitatively analyzing key elements such as data, threat, vulnerability and the like and calculating the risk value is lacking.
The issued patents for data security are: a method, apparatus, medium and electronic device for data security risk assessment (application number: 202211284352.5). The patent provides a data security risk assessment method, a data security risk assessment each stage assignment method and a data security risk assessment formula, and the problem of insufficient data security risk assessment method is solved to a certain extent. The method is that importance degree of the data resource and life cycle of the data are judged after the data resource is obtained, then loss value and threat occurrence probability which can be caused by vulnerability are combed, and safety risk value is calculated according to the loss value and the probability value.
Disclosure of Invention
The invention aims to provide a data security risk assessment method and system, which are used for realizing surrounding data security threat and combining business and data for multi-element analysis.
In order to achieve the above object, the present invention provides the following solutions:
a method of data security risk assessment, comprising:
identifying data assets and data processing activities, and obtaining importance of the data assets;
identifying data security threats and judging the occurrence frequency of the data security threats;
identifying and analyzing data vulnerability and obtaining a data vulnerability result;
acquiring loss caused by occurrence of data security threat and possibility of occurrence of the data security threat based on the importance of the data asset, the occurrence frequency of the data security threat and the data vulnerability result;
and calculating based on the loss caused by the occurrence of the data security threat and the possibility of the occurrence of the data security threat, obtaining a comprehensive risk value, and finishing the risk evaluation of the data security.
Preferably, obtaining the data asset importance comprises:
identifying the data assets and data processing activities, classifying and grading the data assets, and determining the importance of the data assets by utilizing a data asset importance matrix according to the classification and grading results of the data assets; the data assets comprise business fields, responsibility departments, description objects, upstream and downstream links, data main bodies, data purposes, data processing and data sources; the data processing activities include data acquisition, data transmission, data storage, data processing, data exchange, and data destruction.
Preferably, determining the frequency of occurrence of the data security threat includes:
and identifying the data security threat, and judging the occurrence frequency of the data security threat by combining the classification result and the business scene of the data asset, wherein the data security threat comprises data theft, data abuse, data misuse and data tampering.
Preferably, the calculation formula of the data security threat occurrence frequency is as follows:
where Fs represents the frequency of occurrence of data theft, fa represents the frequency of occurrence of data abuse, fm represents the frequency of occurrence of data misuse, fd represents the frequency of occurrence of data tampering, and I represents the importance of the data asset.
Preferably, obtaining the data vulnerability result comprises:
and judging the severity of the vulnerability and the compliance of the data processing activity based on the vulnerability, the existing safety measures and the preset evaluation standard, and carrying out weighted average calculation on the severity of the vulnerability and the compliance of the data processing activity to obtain the data vulnerability result.
Preferably, the formula for calculating a weighted average of the severity of the vulnerability and the compliance of the data processing activity is:
V=((Sv-Em)*Wv+C*Wc)/(Wv+Wc)
where V represents a function that calculates vulnerability, sv represents the severity of the vulnerability, em represents an existing security measure, wv represents the weight of the severity of the vulnerability, C represents the compliance of the data processing activity, and Wc represents the weight of the compliance of the data processing activity.
Preferably, acquiring the loss caused by the occurrence of the data security threat comprises:
analyzing the data security threat by adopting a matrix method, wherein the data security threat is acted on the data asset by using a risk source, so that the loss caused by the occurrence of the data security threat is caused, and the formula is as follows:
loss caused by data security threat = L (a, rs)
Where A represents the importance of the data asset, rs represents the degree of influence of the risk source of the data processing activity, and L represents the computational function of the loss caused by the data security threat.
Preferably, acquiring the possibility of occurrence of the data security threat comprises:
analyzing the possibility of the data security threat caused by the data security threat by using a risk source by adopting a matrix method, wherein the formula is as follows:
possibility of data security threat occurrence = P (Rs, T)
Where Rs represents the degree of influence of a risk source of the data processing activity, T represents the occurrence frequency of the data security threat, and P represents a calculation function of the occurrence probability of the data security threat.
Preferably, obtaining the integrated risk value includes:
based on the loss caused by the occurrence of the data security threat and the possibility of the occurrence of the data security threat, respectively calculating risk values of different data assets in different business scenes, carrying out weighted average on the risk values of all the data assets in all the business scenes, and obtaining the comprehensive risk value, wherein the formula is as follows:
evaluation range total risk value = Σrax I Σi
Where Ra represents the data asset risk level and I represents the data asset importance level.
In order to further optimize the technical scheme, the invention also provides a system for evaluating the data security risk, which comprises the following steps:
an asset identification module for identifying data assets and data processing activities and calculating data asset importance;
the threat identification module is used for identifying data security threats and judging the occurrence frequency of the data security threats;
the vulnerability identification module is used for identifying and analyzing the data vulnerability and acquiring a data vulnerability result;
and the risk analysis module is used for calculating the loss caused by the occurrence of the data security threat and the possibility of the occurrence of the data security threat and acquiring a data security risk value.
The beneficial effects of the invention are as follows:
the data security assessment method provided by the invention identifies the object as the data asset and the data processing activity, takes the data as a main body to carry out risk analysis, and the assessed object is a data + service flow, so that the service and the data can be combined, classified according to the attribute of the service to which the data belongs, and classified according to the importance degree and the hazard degree of the data, the judgment of the importance of the data asset is realized, and the defects of the current data security risk assessment method in the aspects of the service and compliance are overcome.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the drawings that are needed in the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for evaluating data security risk according to an embodiment of the present invention;
fig. 2 is a block diagram of a system for data security risk assessment according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
The embodiment provides a method for evaluating data security risk, as shown in fig. 1, including:
s1, identifying data assets and data processing activities and obtaining importance of the data assets
The elements that need to be identified in the data asset identification process are: business field, responsibility department, description object, upstream and downstream links, data main body, data usage, data processing and data source.
(1) Business field: carrying out refinement classification according to the service range or service type;
(2) Responsibility department: classifying according to a data management department or a responsibility division;
(3) Description object: carrying out refinement classification according to the data description object;
(4) Upstream and downstream ring segments: performing refinement classification according to the upstream and downstream ring nodes of the service operation activities;
(5) Data subject: classifying according to the content subject of the data;
(6) Data use: carrying out refinement classification according to the data use purpose;
(7) And (3) data processing: performing refinement classification according to the type of the data processor or the data processing activity;
(8) Data sources: carrying out refinement classification according to data sources;
data processing activity element identification: in a processing activity, data flows from one processing element to another. The elements that an enterprise may involve in conducting business related to data processing are: data acquisition, data transmission, data storage, data processing, data exchange and data destruction.
After the data asset and data processing activity are acquired, the data is classified and graded according to the principles of scientific practicality, clear boundaries, high definition, point-to-surface combination and dynamic update.
Data classification basic flow: determining the industry field related to the data processor business; classifying data collected and generated in the operation process of the business according to data classification rules in the industry field to which the business belongs; identifying whether a preset evaluation standard (such as laws and regulations) exists or not or whether a data class with special management requirements is provided by a management and supervision department, and distinguishing and identifying personal information and sensitive personal information; if data types not covered by the industry field data classification rules exist, the data can be classified from the organization management perspective in combination with own data management and use.
According to the implementation of the data classification flow, the data are divided into: user data, business data, administration data, system operation and security data.
Data classification basic flow: determining a grading object; identifying grading elements; analyzing data influence; the levels are determined synthetically.
The data is classified into different levels from low to high according to the degree of damage to the social stability, public interests or personal and organizational legal interests, etc. if the data is once revealed, tampered, destroyed or illegally obtained and illegally utilized, as shown in table 2.
The importance of the data asset is determined in a data asset importance matrix based on the classification result of the data asset, the data asset importance matrix being shown in table 1. And obtaining the importance of the data assets of different data types in different business scenes according to the business scenes corresponding to the data classification results, and then obtaining the importance degree of the data assets by comparing the data asset importance degree classification table after obtaining the importance of the data assets, so as to form a data asset importance record table, as shown in table 3.
TABLE 1
TABLE 2
TABLE 3 Table 3
S2, probability of threat of data asset
Data security threats are classified into: data theft, data abuse, data misuse, data tampering. Data theft: refers to the act of an attacker illegally acquiring sensitive information or data of other people. An attacker may obtain information or data through hacking, social engineering, etc., resulting in disclosure of personal privacy, business secrets, or other sensitive information. Data abuse: data abuse refers to the act of unauthorized or unauthorized use of data, e.g., an organization collecting and selling unnecessary user data to third parties, resulting in leakage of personal privacy. Data misuse: data misuse refers to the fact that when data is analyzed or processed, the intent or interpretation of the data is incorrect, resulting in misleading or fraudulent conclusions, e.g., the data is erroneously referenced in a study report, resulting in inaccurate conclusions. Data tampering: data tampering refers to malicious changes to data to achieve the purpose of spoofing or destruction, for example, modifying data or changing system configuration files by using Trojan virus, or obtaining an administrator account and tampering data by social engineering means.
In the step of identifying and judging the occurrence frequency of the data security threat, the data security threat occurrence frequency is judged by combining the data classification result and the service scene. And according to the data classification result and the data type, the possible occurrence frequency of each item of data security threat in the current scene is listed one by one according to the service scene, and finally the occurrence frequency of the data security threat of different types of data in different scenes is obtained through calculation. The occurrence frequency assignment of the different data security threats refers to the data security threat occurrence frequency table in table 4.
The calculation formula of the data security threat is as follows: data security threat = T (frequency of occurrence of data theft, frequency of occurrence of data abuse, frequency of occurrence of data misuse, frequency of occurrence of data tampering, where Fs is the frequency of occurrence of data theft, fa is the frequency of occurrence of data abuse, fm is the frequency of occurrence of data misuse, fd is the frequency of occurrence of data tampering, and I is the importance of the data asset.
TABLE 4 Table 4
S3, identifying vulnerability, existing safety measures and preset evaluation criteria (such as laws and regulations), and carrying out vulnerability analysis, wherein the vulnerability analysis comprises vulnerability severity and compliance of data processing activities.
(1) Compliance with data processing activities
The data security compliance analysis is the basis of enterprise or organization data security, and needs to systematically study and analyze preset evaluation standards and self conditions, and make corresponding security management strategies and plans on the basis so as to ensure the security and credibility of the data.
Compliance with data processing activities may take into account several aspects: compliance with predetermined evaluation criteria (e.g., legal regulations) of a country or region; complying with specifications and standards of different industries; and combining the actual conditions of enterprises or organizations, and formulating a proper security management strategy aiming at factors such as business processes, data types, risk assessment and the like.
And determining the compliance influence degree of the data processing activity according to the analysis and judgment, if the influence degree of the illegal activity exists in the data processing activity, wherein the specific content refers to a data processing activity compliance influence degree table in the table 5.
TABLE 5
(2) Identifying existing security measures
Existing security measures are validation of the effectiveness of security measures taken by enterprises and can be divided into: both prophylactic and protective.
The identified existing security measures are classified according to the influence degree and the influence range which can reduce the vulnerability, and the specific content refers to an existing security measure classification table in the table 6:
TABLE 6
(3) Severity of vulnerability
Vulnerability existing in application scenes is utilized by data security threats to cause damage to data confidentiality, integrity, usability and controllability. When analyzing the vulnerability, the existing security measures need to be considered at the same time, whether the vulnerability can be prevented from being utilized or whether the loss caused by the utilization of the vulnerability can be reduced.
As in table 7, vulnerabilities are categorized by severe program:
low risk vulnerability: low-level vulnerabilities generally refer to vulnerabilities that have less impact on the system, such as small problems that do not affect system stability and security. These vulnerabilities typically do not have a significant impact on the system, but still require timely repair.
Medium-risk loopholes: medium-level vulnerabilities generally refer to vulnerabilities that have a greater impact on the system, such as some that may result in a system crash or data leakage. These vulnerabilities need to be repaired as soon as possible to avoid greater impact on the system.
High-risk loopholes: advanced vulnerabilities generally refer to vulnerabilities that have a very large impact on the system, such as some that may result in the system being fully controlled by an attacker. These vulnerabilities need to be repaired immediately to avoid catastrophic impact on the system.
Serious vulnerability: a critical vulnerability is typically one that has an extremely severe impact on the system, such as some that may result in system paralysis or complete theft of data. These vulnerabilities need to be repaired immediately and some emergency measures are taken to protect the security of the system.
TABLE 7
(4) Computing vulnerability
The outcome of the vulnerability is related to the severity of the vulnerability and the compliance of the data processing activity, and the vulnerability is obtained by calculating a weighted average of the severity of the vulnerability and the compliance of the data processing activity, namely: vulnerability = V (severity of vulnerability, weight of severity of vulnerability, compliance of data processing activity, weight of compliance of data processing activity) = ((severity of vulnerability-existing security measure) × weight of severity of vulnerability + compliance of data processing activity)/(weight of severity of vulnerability + weight of compliance of data processing activity) = ((Sv-Em) × wv+c)/(wv+wc). Where V denotes a function of computing vulnerability, sv denotes a severity of vulnerability, em denotes an existing security measure, wv denotes a weight of the severity of vulnerability, C denotes a compliance of a data processing activity, and Wc denotes a weight of the compliance of the data processing activity. The weight of the severity of the recommended vulnerability and the weight of the compliance of the data processing activity are 2 and 1, respectively.
S4, evaluating data risk
After the importance, the occurrence frequency and the vulnerability of the data asset are calculated, a proper method is adopted to determine the possibility of the data security threat caused by the utilization of a risk source and the loss of the data security threat caused by the application of the data security threat to the data asset. And judging the security risk by integrating the loss caused by the data security threat and the occurrence possibility of the data security threat.
(1) Calculating losses caused by data security threats
The calculation of the loss caused by the data security threat is the result of comprehensively analyzing the influence degree of a data processing activity risk source and the importance of data assets, and the adopted calculation mode is a matrix method. Namely: loss due to data security threat = L (data asset importance, data processing activity risk source impact level) = L (a, rs)
Where A represents the importance of the data asset, rs represents the degree of influence of the risk source of the data processing activity, and L represents the computational function of the loss caused by the data security threat.
And comparing the data security threat loss matrix shown in the table 8 according to the importance of the data asset and the risk source of the data processing activity to determine the loss caused by the data security threat.
TABLE 8
After confirming the loss caused by the data security threat in the data security threat loss matrix, grading is performed by a data threat loss grading table as shown in table 9.
TABLE 9
| Data security threat loss value | 1-6 | 7-12 | 13-18 | 19-23 | 24-25 |
| Data threat loss level | 1 | 2 | 3 | 4 | 5 |
(2) Calculating the probability of data security threat occurrence
The calculation of the occurrence probability of the data security threat is a result of comprehensively analyzing the influence degree of a data processing activity risk source and the occurrence frequency of the data security threat, and the adopted calculation mode is a matrix method. Namely: possibility of data security threat occurrence=p (degree of influence of data processing activity risk source), frequency of data security threat occurrence=p (Rs, T)
Where Rs represents the degree of influence of a risk source of the data processing activity, T represents the occurrence frequency of the data security threat, and P represents a calculation function of the occurrence probability of the data security threat.
And comparing the data security threat occurrence probability matrix shown in the table 10 according to the influence degree of the data processing activity risk source and the data security threat occurrence probability to determine a data security threat occurrence probability value.
Table 10
After confirming the data security threat occurrence probability values in the data security threat occurrence probability matrix, the data security threat occurrence probability values are ranked by a data security threat occurrence probability ranking table as shown in table 11.
TABLE 11
| Data threat occurrence probability value | 1-6 | 7-12 | 13-18 | 19-23 | 24-25 |
| Data threat occurrence probability level | 1 | 2 | 3 | 4 | 5 |
(3) Calculating risk values
According to the calculated possibility of data security threat occurrence and loss caused by the data threat, calculating a risk value, namely: risk value = R (likelihood of data security threat occurrence, loss due to data security threat)
And comparing the data security threat with the security risk matrix shown in table 12 according to the possibility of occurrence of the data security threat and the loss caused by the data security threat, and determining the data security threat risk value.
Table 12
After confirming the security risk value in the security risk matrix, the final security risk level is determined by a security risk level division table as shown in table 13.
TABLE 13
| Risk value | 1-6 | 7-12 | 13-18 | 19-23 | 24-25 |
| Risk level | 1 | 2 | 3 | 4 | 5 |
The final result is risk values of different data in different businesses, the importance degree of the data asset is used as weight, and the weighted average of business scene risks of all the assets is calculated as an evaluation range overall risk value. Evaluation range total risk value = Σrni Σi. Where Ra represents the data asset risk level and I represents the data asset importance level. The results are shown in Table 14.
TABLE 14
In order to further optimize the technical solution, this embodiment further provides a system for evaluating data security risk, as shown in fig. 2, including: the system comprises an asset identification module, a threat identification module, a vulnerability identification module and a risk analysis module;
an asset identification module for identifying data assets and data processing activities and calculating data asset importance;
the threat identification module is used for identifying data security threats and judging the occurrence frequency of the data security threats;
the vulnerability identification module is used for identifying and analyzing the data vulnerability and acquiring a data vulnerability result;
and the risk analysis module is used for calculating the loss caused by the occurrence of the data security threat and the possibility of the occurrence of the data security threat and acquiring a data security risk value.
The above embodiments are merely illustrative of the preferred embodiments of the present invention, and the scope of the present invention is not limited thereto, but various modifications and improvements made by those skilled in the art to which the present invention pertains are made without departing from the spirit of the present invention, and all modifications and improvements fall within the scope of the present invention as defined in the appended claims.
Claims (10)
1. A method of data security risk assessment, comprising:
identifying data assets and data processing activities, and obtaining importance of the data assets;
identifying data security threats and judging the occurrence frequency of the data security threats;
identifying and analyzing data vulnerability and obtaining a data vulnerability result;
acquiring loss caused by occurrence of data security threat and possibility of occurrence of the data security threat based on the importance of the data asset, the occurrence frequency of the data security threat and the data vulnerability result;
and calculating based on the loss caused by the occurrence of the data security threat and the possibility of the occurrence of the data security threat, obtaining a comprehensive risk value, and finishing the risk evaluation of the data security.
2. The method of data security risk assessment of claim 1, wherein obtaining the data asset importance comprises:
identifying the data assets and data processing activities, classifying and grading the data assets, and determining the importance of the data assets by utilizing a data asset importance matrix according to the classification and grading results of the data assets; the data assets comprise business fields, responsibility departments, description objects, upstream and downstream links, data main bodies, data purposes, data processing and data sources; the data processing activities include data acquisition, data transmission, data storage, data processing, data exchange, and data destruction.
3. The method of data security risk assessment according to claim 2, wherein determining the frequency of occurrence of data security threats comprises:
and identifying the data security threat, and judging the occurrence frequency of the data security threat by combining the classification result and the business scene of the data asset, wherein the data security threat comprises data theft, data abuse, data misuse and data tampering.
4. A method of data security risk assessment according to claim 3, wherein the frequency of occurrence of data security threats is calculated as:
where Fs represents the frequency of occurrence of data theft, fa represents the frequency of occurrence of data abuse, fm represents the frequency of occurrence of data misuse, fd represents the frequency of occurrence of data tampering, and I represents the importance of the data asset.
5. The method of data security risk assessment of claim 1, wherein obtaining the data vulnerability result comprises:
and judging the severity of the vulnerability and the compliance of the data processing activity based on the vulnerability, the existing safety measures and the preset evaluation standard, and carrying out weighted average calculation on the severity of the vulnerability and the compliance of the data processing activity to obtain the data vulnerability result.
6. The method of claim 5, wherein the formula for weighted average calculation of the severity of the vulnerability and compliance of the data processing activity is:
V=((Sv-Em)*Wv+C*Wc)/(Wv+Wc)
where V represents a function that calculates vulnerability, sv represents the severity of the vulnerability, em represents an existing security measure, wv represents the weight of the severity of the vulnerability, C represents the compliance of the data processing activity, and Wc represents the weight of the compliance of the data processing activity.
7. The method of claim 1, wherein acquiring the loss caused by the occurrence of the data security threat comprises:
analyzing the data security threat by adopting a matrix method, wherein the data security threat is acted on the data asset by using a risk source, so that the loss caused by the occurrence of the data security threat is caused, and the formula is as follows:
loss caused by data security threat = L (a, rs)
Where A represents the importance of the data asset, rs represents the degree of influence of the risk source of the data processing activity, and L represents the computational function of the loss caused by the data security threat.
8. The method of data security risk assessment of claim 1, wherein obtaining a likelihood of occurrence of the data security threat comprises:
analyzing the possibility of the data security threat caused by the data security threat by using a risk source by adopting a matrix method, wherein the formula is as follows:
possibility of data security threat occurrence = P (Rs, T)
Where Rs represents the degree of influence of a risk source of the data processing activity, T represents the occurrence frequency of the data security threat, and P represents a calculation function of the occurrence probability of the data security threat.
9. The method of data security risk assessment according to claim 1, wherein obtaining the integrated risk value comprises:
based on the loss caused by the occurrence of the data security threat and the possibility of the occurrence of the data security threat, respectively calculating risk values of different data assets in different business scenes, carrying out weighted average on the risk values of all the data assets in all the business scenes, and obtaining the comprehensive risk value, wherein the formula is as follows:
evaluation range overall risk value = Σra x I ≡Σi
Where Ra represents the data asset risk level and I represents the data asset importance level.
10. A system for data security risk assessment, comprising:
an asset identification module for identifying data assets and data processing activities and calculating data asset importance;
the threat identification module is used for identifying data security threats and judging the occurrence frequency of the data security threats;
the vulnerability identification module is used for identifying and analyzing the data vulnerability and acquiring a data vulnerability result;
and the risk analysis module is used for calculating the loss caused by the occurrence of the data security threat and the possibility of the occurrence of the data security threat and acquiring a data security risk value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310700769.3A CN116720194A (en) | 2023-06-14 | 2023-06-14 | Method and system for evaluating data security risk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310700769.3A CN116720194A (en) | 2023-06-14 | 2023-06-14 | Method and system for evaluating data security risk |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116720194A true CN116720194A (en) | 2023-09-08 |
Family
ID=87867473
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310700769.3A Pending CN116720194A (en) | 2023-06-14 | 2023-06-14 | Method and system for evaluating data security risk |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116720194A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117350288A (en) * | 2023-12-01 | 2024-01-05 | 浙商银行股份有限公司 | Case matching-based network security operation auxiliary decision-making method, system and device |
-
2023
- 2023-06-14 CN CN202310700769.3A patent/CN116720194A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117350288A (en) * | 2023-12-01 | 2024-01-05 | 浙商银行股份有限公司 | Case matching-based network security operation auxiliary decision-making method, system and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| de Gusmão et al. | Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory | |
| US9473521B2 (en) | Method and system for information leak prevention | |
| TWI573036B (en) | Risk scoring for threat assessment | |
| CN107577939B (en) | Data leakage prevention method based on keyword technology | |
| US8607353B2 (en) | System and method for performing threat assessments using situational awareness | |
| CN106548342B (en) | Trusted device determining method and device | |
| CN113542279A (en) | Network security risk assessment method, system and device | |
| Bernik | Cybercrime: The Cost of Investments into Protection. | |
| CN116720194A (en) | Method and system for evaluating data security risk | |
| CN116049859A (en) | Data security management method, system, terminal equipment and storage medium | |
| Sarabi et al. | Prioritizing Security Spending: A Quantitative Analysis of Risk Distributions for Different Business Profiles. | |
| KR20110110431A (en) | Apparatus for information security and method thereof | |
| US11575702B2 (en) | Systems, devices, and methods for observing and/or securing data access to a computer network | |
| Roumani | Detection time of data breaches | |
| Palko et al. | Determining Key Risks for Modern Distributed Information Systems. | |
| CN115640581A (en) | Data security risk assessment method, device, medium and electronic equipment | |
| Kim et al. | A study on analyzing risk scenarios about vulnerabilities of security monitoring system: focused on information leakage by insider | |
| Hakkoymaz | Classifying Database Users for Intrusion Prediction and Detection in Data Security | |
| Schweighofer et al. | Privacy by design data exchange between CSIRTs | |
| US20230396640A1 (en) | Security event management system and associated method | |
| KR20040011858A (en) | Real Time Information Security Risk Assessment System and Method | |
| EP2495679A1 (en) | System and method for performing threat assessments using situation awareness | |
| Petrescu et al. | The international experience in security risk analysis methods | |
| US20220272123A1 (en) | Method and system for protecting a checkout transaction from malicious code injection | |
| Li | The Impact of Big Data on People and Data Security Issues |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |