基于STAMP模型的风险评估行为安全指标体系

摘要/Abstract

摘要： 现有的风险评估方法与模型在设计上未充分考虑风险评估行为本身对评估结果的影响，对风险评估的行为可能引入安全性风险的认识也存在较大不足。针对这个问题，首先建立风险评估行为STAMP模型，使用STPA分析方法对风险评估行为进行安全性分析，利用STAMP模型构建风险评估行为安全指标体系，并采用改进AHP方法筛选出重要指标因素。所提出的安全指标体系关注系统整体的涌现性而非单个组件的可靠性，根据造成系统安全事故发生或进入危险状态的原因，提供一种能够更加有效的构建安全指标体系的思路。

关键词: 信息系统, 风险评估, 安全指标体系, STAMP, STPA, 改进AHP算法

Abstract: The existing security risk assessment methods and models do not fully consider the impact of the risk assessment behavior itself on the assessment results, which is a big lack of understanding that the behavior of risk assessment may introduce security risk. In response to this problem, this paper first establishes a complete STAMP model of risk assessment behavior. On this basis, the STPA analysis method is used to conduct security analysis on risk assessment behavior, the STAMP theory is used to construct a risk assessment behavior security index system, and the improved AHP method is used to screen important index factors in the security index system. The proposed security index system focuses on the emergence of the system as a whole rather than the reliability of individual components. According to the reasons for the occurrence or danger of system safety accidents, it provides a more effective way of constructing a safety index system.

Key words: information system, risk assessment, security index, system-theoretic accident model and process(STAMP), system theoretic process analysis(STPA), improved AHP algorithm

王克克, 郭莉丽, 郎静宏 . 基于STAMP模型的风险评估行为安全指标体系[J]. 计算机工程与科学, 2022, 44(08): 1372-1381.

WANG Ke-ke, GUO Li-li, LANG Jing-hong. A security index system of security risk assessment behavior based on STAMP model[J]. Computer Engineering & Science, 2022, 44(08): 1372-1381.

参考文献［28］

［1］	Li Bin,Xie Feng,Chen Zhong.A business oriented risk assessment model［J］.Journal of Computer Research and Development,2011,48(9):1634-1642.(in Chinese)
［2］	Yan Qiang, Shu Hua-ying, Chen Zhong, et al.An object- oriented method for information system security evaluation［J］.Journal of Beijing University of Posts and Telecommunications,2005,28(4):69-73.(in Chinese)
［3］	Ghosh A K,McGraw G.An approach for certifying security in software components［C］∥Proc of the 21st NIST-NCSC National Information Systems Security Conference,1998:42-48.
［4］	Guo D F, Yang Y X, Hu Z M.Design of secure distributed intrusion detection systems［J］.The Journal of China Universities of Posts and Telecommunications,2002,9(2):17-24.
［5］	Moore A P,Ellison R J,Linger R C.Attack modeling for information security and survivability:Technical Note CMU/SEI-2001-TN-001［R］.Pittsburgh:Carnegie Mellon University,2001.
［6］	Mauw S, Oostdijk M.Foundations of attack trees［C］∥Proc of the 8th Annual International Conference on Information Security and Cryptology,2005:186-198.
［7］	Jha S,Sheyner O,Wing J.Two formal analyses of attack graphs［C］∥Proc of the 15th IEEE Computer Security Foundations Workshop,2002:45-59.
［8］	Jha S,Sheyner O,Wing J.Mini mization and reliability analyses of attack graphs:Technical Note CMU-CS-02-109［R］.Pittsburgh:Carnegie Mellon University,2002.
［9］	Sheyner O,Haines J,Jha S,et al.Automated generation and analysis of attack graphs［C］∥Proc of the IEEE Symposium on Security and Privacy,2002:273-284.
［10］	Sheyner O. Scenario graphs and attack graphs［D］. Pittsburgh:Carnegie Mellon University,2004.
［11］	Bodin L,Gordon L,Loeb M.Evaluating information security investments using the analytic hierarchy process［J］.Communications of the ACM,2005,48(2):79-83.
［12］	Chen Xiu-zhen, Zheng Qing-hua,Guan Xiao-hong,et al.Quantitative hierarchical threat evaluation model for network security［J］.Journal of Software,2006,17(4):885-897.(in Chinese)
［13］	Karabacak B, Sogukpinar I.ISRAM:Information security risk analysis method［J］.Computers & Security,2005,24(2):147-159.
［14］	Houmb S H, den Braber F,Lund M S,et al.Towards a UML profile for model-based risk assessment［C］∥Proc of UML Workshop on Critical Systems Development with UML,2002:79-82.
［15］	Ngai T,Wat F.Fuzzy decision support system for risk analysis in e-commerce development［J］.Decision Support Systems,2005,40(2):235-255.
［16］	Wang L Y,Singhal A,Jajodia S.Toward measuring network security using attack graphs［C］∥Proc of ACM Workshop on Quality of Protection,2007:49-54.
［17］	Phillips C, Swiler L P. A graph-based system for network- vulnerability analysis［C］∥Proc of Workshop on New Secu- rity Paradigms,1998:71-79.
［18］	Swiler L P,Phillips C,Ellis D,et al.Computer-attack graph generation tool［C］∥Proc of DARPA Information Survivability Conference & Exposition,2001:307-321.
［19］	Noel S,Jajodia S,Berry B,et al.Efficient minimum-cost network hardening via exploit dependency graphs［C］∥Proc of the 19th Annual Computer Security Application Conference,2003:86-95.
［20］	Duanmu Jing-shun.Theoretical methods of the aviation accident prediction,early-warning and prevention［M］.Beijing:National Defense Industry Press,2013.(in Chinese)
［21］	Zhang Xiao-yan, Han Song-chen,Yang Chang-qi. A fuzzy synthetic evaluation model for safety risk in air traffic control based on matter element analysis［J］.Journal of Transport Information and Safety,2016,34(4):50-56.(in Chinese)
［22］	Wang Yong-gang,Wang Yi-wei.Goal-oriented decomposition study of the airport safety and security based on the risk management［J］.Journal of Safety and Environment,2012,12(6):165-169.(in Chinese)
［23］	Liu Jun, Wu Hong-lan. Research on FCE-based flight safety risk assessment［J］. Civil Aviation Management,2017(9):60-65.(in Chinese)
［24］	Leveson N.Engineering a safer world:Systems thinking applied to safety［M］.Tang Tao, Niu Ru,translation. Beijing:National Defense Industry Press,2015.(in Chinese)
［25］	Chen Hao-ran,Cui Li-jie,Ren Bo,et al.Research on the construction of aircraft test flight safety index based on STAMP［J］.Fire Control & Command Control,2019,44(2):54-59.(in Chinese)
［26］	Fleming C H, Spencer M,Leveson N,et al.Safety assurance in NextGen:NASA/CR-2012-217553［R］.Hampton:National Aeronautics and Space Administration,Langley Research Center,2012.
［27］	Ouyang M, Liu H, Yu M H,et al.STAMP-based analysis on the railway accident and accident spreading:Taking the China—Jiaoji railway accident for example［J］.Safety Science,2010,48(5):544-555.
［28］	Li Ai-chen,Ma Jian-jun,Chi En-an,et al.Influence factors of open-pit blasting effect based on improved AHP［J］.Mining Research and Development,2019,39(10):5-10.(in Chinese)
	附中文参考文献：
［1］	李斌,谢丰,陈钟.一种面向业务的风险评估模型［J］.计算机研究与发展,2011,48(9):1634-1642.
［2］	闫强,舒华英,陈钟,等.一种面向对象的信息系统安全评估方法［J］.北京邮电大学学报,2005,28(4):69-73.
［12］	陈秀真,郑庆华,管晓宏,等.层次化网络安全威胁态势量化评估方法［J］.软件学报,2006,17(4):885-897.
［20］	端木京顺.航空事故预测预警预防理论方法［M］.北京：国防工业出版社,2013.
［21］	张晓燕,韩松臣,杨昌其.基于物元分析理论的空管安全风险模糊综合评价［J］.交通信息与安全,2016,34(4):50-56.
［22］	王永刚,王一苇.基于风险管理的机场安全目标分解研究［J］.安全与环境学报,2012,12(6):165-169.
［23］	刘军,吴红兰.基于模糊综合评价法的飞行安全风险评估研究［J］.民航管理,2017(9):60-65.
［24］	南希·莱文森.基于系统思维构筑安全系统［M］.唐涛，牛儒，译.北京：国防工业出版社,2015.
［25］	陈浩然,崔利杰,任博,等.基于STAMP的试飞安全指标体系构建方法［J］.火力与指挥控制,2019,44(2):54-59.
［28］	李爱陈,马建军,池恩安,等.基于改进AHP法的露天矿爆破效果影响因素分析［J］.矿业研究与开发,2019,39(10):5-10.

[1]	郭昊, 何小芸, 孙学洁, 陈红松, 刘周斌, 颉靖. 国家电网边缘计算应用安全风险评估研究[J]. 计算机工程与科学, 2020, 42(09): 1563-1571.
[2]	张瑞芝1,唐湘滟1,程杰仁1,2. 基于改进模糊C-均值聚类的DDoS攻击安全态势评估模型[J]. 计算机工程与科学, 2018, 40(11): 1957-1966.
[3]	李艳，黄光球，张斌. 基于攻击事件的动态网络风险评估框架[J]. 计算机工程与科学, 2016, 38(09): 1803-1811.
[4]	余定坤，王晋东，张恒巍，王娜，陈宇. 基于静态贝叶斯博弈的风险评估方法研究[J]. J4, 2015, 37(06): 1079-1086.
[5]	王娜1，张健2，王晋东1，张恒巍1. 单调指标空间在信息系统风险评估中的应用研究[J]. J4, 2015, 37(03): 486-491.
[6]	陈永艳，戴伟. 分层渗透深度下隐马尔科夫风险评估模型[J]. J4, 2014, 36(09): 1690-1696.
[7]	史姣丽. 基于模拟攻击的高校网络安全风险评估研究[J]. J4, 2012, 34(12): 51-55.
[8]	吴叶科1,宋如顺1,陈波2. 基于博弈论的综合赋权法的信息安全风险评估[J]. J4, 2011, 33(5): 9-13.
[9]	王淼，凌捷，郝彦军. 电子政务系统安全域划分技术的研究与应用[J]. J4, 2010, 32(8): 52-55.
[10]	陆琳琳，马鑫. 一种基于移动代理的网络安全联合风险评估系统模型[J]. J4, 2010, 32(5): 26-29.
[11]	刘春芬[1,2] 宣蕾[2] 王正华[2] 李旭峰[2]. 基于SVM的网络威胁频率预测算法研究[J]. J4, 2007, 29(5): 11-14.
[12]	吉勇李瑞轩. 基于模糊评判的多自治域风险关联评估算法[J]. J4, 2007, 29(12): 107-110.