Risk Analysis of Information System Security Based on Distance of Information-State Transition
ZHOU Chao, PAN Ping, MAO Xinyue, HUANG Liang1. College of Computer Science and Technology, Guizhou University, Guiyang 550025, Guizhou, China; 2. Wuhan Second State Tax Inspectorate, Hubei Provincial Office, SAT, Wuhan 430021, Hubei, China
The configuration of information system security policy is directly related to the information asset risk, and the config-uration required by the classified security protection is able to ensure the optimal and minimum policy in the corresponding security level. Through the random survey on the information assets of multiple departments, this paper proposes the relative deviation distance of security policy configuration as risk measure parameter based on the distance of information-state transition (DIT) theory. By quantitatively analyzing the information asset weight, deviation degree and DIT, we establish the evaluation model for information system. With example analysis, the results prove that this method conducts effective risk evaluation on the information system intuitively and reliably, avoids the threat caused by subjective measurement, and shows performance benefits compared with existing solutions. It is not only theoretically but also practically feasible to realize the scientific analysis of security risk for the information system.
Key words:distance of information-state transition (DIT); deviation distance; information asset; risk analysis
 Shameli-Sendi A, Aghababaei-Barzegar R, Cheriet M. Tax-onomy of information security risk assessment (ISRA) [J]. Computers & Security, 2016, 57(C): 14-30.
 Kondakci S. Network security risk assessment using Bayesian belief networks [C] // IEEE Second International Conference on Social Computing. Washington D C: IEEE, 2010: 952-960.
 Cholez H, Girard F. Maturity assessment and process im-provement for information security management in small and medium enterprises [J]. Journal of Software Evolution & Process, 2014, 26(5): 496-503.
 Al-Kuwaiti M, Kyriakopoulos N, Hussein S. A comparative analysis of network dependability, fault tolerance, reliability, security and survivability [J]. IEEE Communications Survey & Tutorial, 2009, 11(2): 106-124.
 Ma Z, Krings A W. Dynamic hybrid fault modeling and extended evolutionary game theory for reliability, surviv-ability and fault tolerance analyses [J]. IEEE Transactions on Reliability, 2011, 60(1): 180-196.
 Li H T, Liu Y, He D Q. A fuzzy set-based approach for model-based internet-banking system security risk assess-ment [J]. Wuhan University Journal of Natural Sciences, 2006, 11(6): 1869-1872.
 Zhang X, Yao S P, Tang C H. Assessing the risk situation of network security for active defense [J]. Wuhan University Journal of Natural Sciences, 2006, 11(6): 1718-1722.
 Standardization Administration of the People’s Republic of China. Information Security Technology-Risk Assessment Specification for Information Security (GB/T 20984-2007) [S]. Beijing: Standards Press of China, 2007(Ch).
 Liu G C, Wang H J. Evaluation research on and empirical analysis of risks in information system audit based on AHP and entropy weight [J]. Auditing Research, 2016, 1: 53- 59(Ch).
 Liu J, Zhao G, Zheng Y P. Information security risk variety situation analysis model based on AHP and Bayesian net-work [J]. Journal of Beijing Information Science and Tech-nology University, 2015, 30(3): 68-74(Ch).
 Chai J W, Wang S, Liang H H, et al. An AHP-based quanti-fied method of information security risk assessment elements [J]. Journal of Chongqing University, 2017, 40(4): 44-53(Ch).
 Zhao G, Liu H. Practical risk assessment based on multiple fuzzy comprehensive evaluations and entropy weighting [J]. Journal of Tsinghua University (Sci and Tech), 2012, 52(10): 1382-1387(Ch).
 Song J K, Zhang L B. Research on information security risk assessment based on triangular fuzzy entropy [J]. Infor-mation Studies Theory and Application, 2013, 36(8): 99-104 (Ch).
 Chen X G, Cheng J R. Research on application of risk as-sessment approach for multi-factor hierarchical fuzzy comprehensive evaluation [J]. Computer Engineering and Applications, 2012, 48(30): 128-131(Ch).
 Fu S. Information system security risk analysis method using information entropy [J]. Information Science, 2013, 31(6): 38-42(Ch).
 Xiong J S, Qin H T, Li J H, et al. Method of determining index weight in security risk evaluation based on infor-mation entropy [J]. Journal of System Science, 2013, 21(2): 82- 84(Ch).
 Wu L Y. Risk analysis of the information system by using factor analysis and support vector machine [J]. Microelec-tronics and Computer, 2016, 33(2): 144-148(Ch).
 Zhao B H. Risk evaluation of information system security based on neural network and analytic hierarchy process [J]. Microelectronics and Computer, 2015, 32(10): 163-166(Ch).
 Wang H C. DIT and Information [M]. Beijing: Science Press, 2006.
 Li X L, Lü W Q, Guo Q K. Research on measurement method of command process based on information distance [J]. Journal of Equipment Academy, 2014, 25(6): 113-117(Ch).
 Wang H C. Systems information measurement [J]. Journal of University of Shanghai for Science and Technology, 2011, 33(6): 631-640(Ch).
 Peng C G, Ding H F, Zhu Y J, et al. Information entropy models and privacy metrics methods for privacy protection [J]. Journal of Software, 2016, 27(8): 1891-1903(Ch).
 Cove T M, Thomas J A. Elements of Information Theory [M]. New York: Wiley, 2006.
 Zhang R R, Zhou H L, Pan P. Analysis of university students’ core value based on information distance [J]. Journal of Guizhou Normal College, 2012, 28(2): 52-57(Ch).
 Standardization Administration of the People’s Republic of China. Information Security Technology—Baseline for Classified Protection of Information System Security (GB/T 22239-2008) [S]. Beijing: Standards Press of China, 2008(Ch).