Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/35232
|
| Title: | 企業資訊安全風險評估-以電腦病毒為例 |
| Authors: | 洪裕傑
Hung,Yu-Chieh |
| Contributors: | 傅豐玲
洪裕傑
Hung,Yu-Chieh |
| Keywords: | 資訊安全
病毒
網路威脅
弱點管理
Information Security
Virus
Cyber-Threat
Vulnerability Management |
| Date: | 2005 |
| Issue Date: | 2009-09-18 14:30:25 (UTC+8) |
| Abstract: | 隨著網際網路的快速成長,資訊安全已成為企業最重視的議題之一。企業必須保護自己免於網路威脅(Cyber-Threat),不過防止企業免受網際威脅已非易事,這也為企業資訊安全風險埋下了一顆不定時炸彈。換句話說,資訊安全風險是現今企業所面臨的主要挑戰之一,企業資訊安全防護的好壞將直接反應在企業的盈虧上,甚至可能影響到顧客對該企業產品或服務的滿意度等,對企業的殺傷力是不容忽視的。目前的防毒軟體(Anti-Virus)與威脅管理系統(Threat Management System)所能提供的基本功能都是大同小異,其效能也在伯仲之間,但是企業使用的成效則大不相同。因此如何掌握左右企業資訊安全風險的主要影響因子,並根據該影響因子提供企業一套資訊安全策略以解決其所面臨的風險與使得金錢上的損失降到最低,將是改善企業資訊安全風險的關鍵成功因素。
本研究首先透過與五位企業安全維護有實務經驗的專家訪談,了解資訊安全之重要影響因素並不在於投入防毒軟體的預算金額,反而是企業的資訊安全策略類型,如使用者與資訊安全人員關係型態、資訊安全人員的素質、高階主管對資訊安全政策的支持之類因素更重要。
接著藉由問卷調查,以國內某著名防毒軟體客戶為樣本,發出1910份郵寄問卷與網路問卷邀請email信,共回收102份有效問卷,回收率5.3%。問卷共分為兩大部份:組織特徵(包括公司背景、過去三年病毒感染情形、防毒系統、資訊安全管理現況)及防毒能力評估(防毒軟體的使用、監控與過濾、追蹤裝置、區隔網路等四類防毒技術的使用,與弱點管理、病毒碼部署、帳號管理、應用程式與網路使用的權限、回應與恢復程序等五類安全程序政策,組織的責任與能力、組織的順從、對教育訓練的重視等三項組織因素)。以「病毒爆發數量」、「病毒爆發影響嚴重性」、「偵測病毒數」與「偵測感染事件事」為應變數,以公司概況及防毒能力評估各變項為自變數進行單因子與多因子變異數分析,分析結果顯示組織大小及防毒軟體的使用、弱點管理、帳號管理等安全程序政策是影響「病毒爆發數量」的重要因素;組織大小、網路管理等組織特徵,防毒軟體的使用、弱點管理、病毒碼部署等安全程序政策及教育訓練等是影響「病毒爆發影響嚴重性」的重要因素;組織大小與防毒軟體的使用、監控與過濾等防毒技術的使用,弱點管理影響「偵測病毒數」的重要因素;組織大小、弱點管理、與教育訓練等是影響「偵測感染事件數」的重要因素。
本研究藉由分析企業在資訊安全所面臨到的風險,得以建立並發展相關評量的模型,研究結果除了可以提供廠商與設計人員在開發企業資訊安全風險評量時參考的依據,也為後續的相關實證研究提供一些建議的方向。
Following the growth of the www internet in the latest years, information security has become the most important topic among all enterprise companies. Enterprise companies have to protect themselves from Cyber-Threat, but this is not an easy job at all. That means a hidden bomb has already been planted inside their information systems. In another words, the information security threat is the main challenge that all enterprise companies are facing right now. The performance of the defensive system that an enterprise company is using directly impacts whether this company can have a profit gain or loss; furthermore, this affects the customers’ satisfaction about the company’s products and services. This threat can harm the company and should not be ignored. Right now the basic service that Anti Virus software and Threat Management System can provide and their performance are functionally the same, but the effective factor of how each different companies use them may yield a big difference. Hence, knowing how to control the main factor of the information security threat of the company and knowing how to provide the best and the most secured strategy according to the threat to solve any possible future threat such that the loss of profit can be minimized, will be the most important aspect for an enterprise company to be succeeded.
This research was conducted by interviewing with five experienced enterprise security maintenance experts at first. From the conservation, we have learned that the main factor of the information security is not depending on the amount of budget that the company has spent on anti-virus software. In fact the strategy type that the company uses for information security is the main reason. This includes the relational model between the users and the information security members, the quality of the information security members, the support of information security strategy from the top manager, and etc. These are more important factors.
We have then conducted a survey among the customers from one of the famous anti virus software in Taiwan. We have sent out 1910 questionnaire mails and online survey invitation emails, we have collected back 102 copies of valid questionnaires (5.3% of the total). The questionnaire contains two parts: the characteristic of the company (including the background of company, the virus infection situation in the past three years, the anti virus system, the present situation of information security management), and the performance evaluation of the anti-virus system (which one(s) out of the four anti-virus techniques that the current company is applying: using anti-virus software, monitoring and filtering, using some tools for tracing, and the separation of local area network. Which one(s) out of five security process strategies that the company is using: weakness management, virus pattern deployment, account management, permission of using application and network, and response and restore process. And the factor of company: the responsibility and ability, the obedient, and the weight that was put for educational training.) Using the infection number of virus, the impact severity of virus spread, the quantity of detectable virus, and the number of detectable infection events as dependent variables, along with using the situation of company and each items in anti-virus ability evaluation as single factor or multiple factor variant analysis, the analyzed result shows that the size of companies and the security process strategies such as the use of anti-virus software, weakness management, and account management, are the main factors of the infection number of virus. The characteristic of the company such as the size of companies and its network management, the security process strategies such as the use of anti-virus, weakness management, and virus pattern deployment, and the educational training are the main reasons of affecting the severity of virus spread. The size of company, the use of anti virus technique such as the use of anti-virus software and the monitoring and filtering, and weakness management are the main factors of the number of detected virus. The size of company, weakness management, and the educational training are the main factor of the number of events of detected infection.
According to the analysis of the threat of information security that an enterprise company would face, this research has built and developed a related evaluation model. The result from this research not only can provide a reference for companies and software designers when they evaluate their enterprise information security, but also suggest a new direction for future research. |
| Reference: | 一、中文部分
[1] 李順仁,資訊安全,文魁,2003
[2] “90年度台閩地區電腦應用概論報告”,行政院主計處電子處理資料中心,http://www.dgbas.gov.tw/ct.asp?xItem=1329&ctNode=411,讀取日期:2005/12/31
[3] “93年電腦應用概況報告”,行政院主計處電子處理資料中心,http://www.dgbas.gov.tw/ct.asp?xItem=14284&CtNode=3545,讀取日期:2005/12/31
[4] “疾風病毒餘悸猶存!殺手病毒恐將造成另一波重大災情”,某公司,http://www.trendmicro.com/tw/home/enterprise.htm,讀取日期:2006/01/02
[5]“資訊安全概論”,台灣微軟,http://www.microsoft.com/taiwan/partner/columns/securitysurvey.aspx,讀取日期:2006/01/05
[6] “賽門鐵克公佈全球行動安全調查研究報告”,賽門鐵克,http://www.symantec.com/region/tw/press/tw_060411.html,讀取日期:2006/05/01
二、英文部分
[7] Andreas E. Fielder, “On the Necessity of Management of Information Security”, Northwest, http://www.noweco.com/wp_iso17799e.htm, Access Date: 2006/05/01
[8] Anat Hovav and John D’Arcy, “The Impact of Virus Attack Announcements on the Market Value of Firms”, Information Systems Security, May/June 2004, pp32-40
[9] Austin, R.D. and Darby, C.A.R., “The Myth of Secure Computing”, Harvard Business Review, 81(6), June 2003, pp120-126
[10] Bruce Schneier, “The Process of Security”, http://infosecuritymag.techtarget.com/articles/april00/columns_cryptorhythms.shtml, Access Date: 2005/12/01
[11] Charles J. Kolodgy, Brian E. Burke, Christian A. Christiansen, Sally Hudson, Laurie A. Seymour, “IDC’s Enterprise Security Survey, 2004”, IDC, 2004
[12] Chen, T.M. “Trends in Viruses and Worms”, The Internet Protocol Journal, 6(3), 2003, pp23-33
[13] Computer Security Update, Internal Attacks Suppassing External Attacks at Firms, Worldwide Videotex, 2005
[14] Cybertrust Corporation, “Cybertrust Anti-Virus Practice Guide”, Cybertrust Corporation, 2004
[15] Ettredge, M. and V.J. Richardson, “Assessing the Risk in E-Commerce”, Proceedings of the 22nd International Conferenceon Information Systems, 2001
[16] Frank Cervone, “Understand the Big Picture so You Can Plan for Network Security”, Computers in Libraries, 25(3), 2005, pp10-14
[17] Glover, S., S. Liddle, et al. Electronic Commerce: Security, Risk Management, and Control. Prentice-Hall.
[18] Gokhan Gercek, Ph.D. and Naveed Saleem , Ph.D. “Securing Small Business Computer Networks: An Examination of Primary Security Threat and Their Solutions”, Telecommunications, Network, and Internet Security, July/August 2005, pp18-28
[19] Gordon, L.A., M.P. Loeb, et al. “A Framework for Using Insurance for Cyber-Risk Management.” Communications of the ACM , 46(3), 2003, pp81-85
[20] Gordon, L.A. and M.P. Loeb, “The Economics of Information Security Investment”, ACM Transactions on Information and System Security, 5(4), pp438-457, 2002
[21] Harold F. Tipton, Micki Krause, Information Security Management Handbook 5th Edition, Auerbach publications, 2004
[22] Hindocha, N., “Threats to Instant Messaging”, Symantec White Paper, 2002
[23] Hovav, A. and J. D’Arcy, “The Impact of Denial-of-Service Announcement on the Market Value of Firms”, Risk Management and Insurance Review, 6(2), 2003, pp97-121
[24] Joe Licari, “Securing the Information Workplace: Managing Threats to Enterprise E-Mail, IM, and Document Sharing Environments”, Telecommunications, Network, and Internet Security, September/October 2005, pp45-49
[25] Kelly, B.J., “Preserve, Protect, and Defend”, Journal of Business Strategy, Sep-Oct, 1999, pp22-26
[26] Ken Dunham, “Battling the Bots”, Information System Security, May-June, 2005, pp6-9
[27] Kimball Fisher, Mareen Duncan Fisher, The Distributed Mind: Achieving High Performance Through the Collective Intelligence of Knowledge Work Team, AMACOM, 1997
[28] Larry Bridwell, “Computer Virus Prevalence Survey”, ICSA Lab, 2004
[29] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, “CSI/FBI Computer Crime and Security Survey”, Computer Security Institute, 2004
[30] Lemos, R., “The Computer Virus – No Cures to be Found”, CNET News.com, November 25, 2003, http://zdnet.com.com/2100-1105-5111442.html, Access Date: 2006/01/09
[31] Matunda Nyanchama and Marc Stefaniu, “Analyzing Enterprise Network Vulnerabilities”, Information Systems Security, 12(2), 2003, pp44-49
[32] Montana, J.C., “Viruses and the Law: Why the Law is Ineffective”, The Information Management Journal, 34(4), 2000, pp57-60
[33] Power R., “CSI/FBI Computer Crime and Security Survey”, Computer Security Issues and Trends, 7(1), 2001, pp1-18
[34] Power R., “CSI/FBI Computer Crime and Security Survey”, Computer Security Issues and Trends, 9(1), 2003, pp1-20
[35] Salierno, D. “Manager Fail to Address E-Risk”, The Internal Auditor, April 2001
[36] Salkever, A. “Who Pays When Business Is Hacked?”, Business Week, http://www.businessweek.com/bwdaily/dnflash/may2000/nf00523d.htm, Access Date: 2005/12/10
[37] Steven Drew, “Reducing Enterprise Risk with Effective Threat Management”, Information Security Management, January/February 2005, pp37-42
[38] Stone, J. and Merrion, S., “Features: Instant Messaging or Instant Headache?”, ACM Queue, 2(2), April, 2004
[39] Tim Grance, Joan Hash, and Marc Stevens, “Security Considerations in the Information System Development Life Cycle”, NIST Special Publication 800-64, Oct., 2003
[40] “CERT/CC Statistics 1988-2005”, CERT/CC, http://www.cert.org/stats/cert_stats.html, Access Date: 2005/12/05
[41] “Control Management”, Trend Micro, http://www.trendmicro.com/en/products/management/tmcm/evaluate/overview.htm, Access Date: 2006/04/30
[42] “Managing Collective Intelligence – Toward a New Corporate Governance”, Axioplole, http://www.axiopole.com/en/index_en.html, Access Date: 2006/04/15
[43] “People, Process and Technology: Foundation for Effective Incident Handling”, LURHQ, http://www.lurhq.com, Access Date: 2005/07/08 |
| Description: | 碩士
國立政治大學
資訊管理研究所
93356035
94 |
| Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0093356035 |
| Data Type: | thesis |
| Appears in Collections: | [資訊管理學系] 學位論文
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|
