多產業資訊安全風險評鑑機制之研究

Research on Cross-industry Information Security Risk Management Platform

魏銪志(Yu-ChihWei)；吳易昇(Yi-ShengWu)

資訊安全管理 ； 資訊安全風險評鑑 ； 多產業資訊安全風險管理 ； Information security management ； Information security risk assessment ； Cross-industry Information Security Risk Management

電腦稽核

45期（2022 / 02 / 25）

43 - 65

繁體中文

在各國積極推動工業4.0、大數據及人工智慧等技術下，資訊科技及運營科技的資訊安全威脅持續受到關注，且關注的範圍隨著物聯網及智慧製造的推動，兩者所涉及的範圍已逐漸重疊並進行結合，使得資訊安全已成為所有產業所面臨的問題。為防範在營運上所產生風險，因此組織需透過導入良好的資訊安全風險管理流程，以降低風險所造成的損害。為了解決多產業的資訊安全問題，且同時解決資訊安全風險管理流程繁瑣的程序，本研究設計與實作多產業資訊安全風險評鑑平台，來協助資訊安全風險管理人員進行有效的資安風險管理流程。本研究架構結合ISO/IEC 27005的框架及IEC 62443-3-2工控網路安全風險管理的架構，達成資訊與工業的多產業結合。本研究將使各產業更有效的追蹤風險管控，了解整體風險情況，建立良好的風險決策，促進整體資訊及網路安全。

The technology of the industry 4. 0, big data and artificial intelligence are actively promoted in all countries. The information security threats in information technology and operating technology are constantly being paid attention. With promoting IoT and AI manufacturing, the scope of IT and OT have gradually overlapped and combined. To prevent the risk in operation, the organization need to imply nicer information security risk management process. So that can reduce the damage from the risk. To solve the cross-industry information security issue and also decrease the process of the information security risk management, we design and implement a cross-industry information security risk management platform in our research. This platform can help the staff deploy the process of information security risk management efficiently. Combining the framework of ISO/IEC 27005 and IEC 62443- 3- 2 to achieve the cross-industry goal between IT and OT. It's easy to connect the IT industry and OT industry. Our research let each industry follow up the risk management more effectively. Understanding the whole risk situation, establish good risk decisions, and promote overall information and network security.

1. de Gusmão, A. P. H.,Silva, L. C.,Silva, M. M.,Poleto, T.,Costa, A. P. C. S.(2016).Information Security Risk Analysis Model Using Fuzzy Decision Theory.International Journal of Information Management,36,25-34.
2. Dongmei, Z.,Hai-feng, L.,Chen-guang, L..Risk Assessment of Information Security Based on Bp Neural Network.Jisuanji Gongcheng yu Yingyong(Computer Engineering and Applications),43,139-141.
3. Foroughi, F.(2008).Information Security Risk Assessment by Using Bayesian Learning Technique.Proceedings of the World Congress on Engineering
4. IEC. "Cyber Security." from https://www.iec.ch/basecamp/cyber-security. 2018
5. IEC(2020).IEC. "Security for Industrial Automation and Control Systems - Part 3- 2: Security Risk Assessment for System Design." . 2020.
6. ISO(2018).ISO. "Information Technology–Security Techniques–Information Security Risk Management," in: ISO/IEC. ISO/IEC 27005. 2018..
7. Jana, D. K.,Ghosh, R.(2018).Novel Interval Type- 2 Fuzzy Logic Controller for Improving Risk Assessment Model of Cyber Security.Journal of information security and applications,40,173-182.
8. Li, H.(2006).Probability Representations of Fuzzy Systems.Science in China Series F,49(3),339-363.
9. Mamdani, E. H.,Assilian, S.(1975).An Experiment in Linguistic Synthesis with a Fuzzy Logic Controller.International journal of man-machine studies,7(1),1-13.
10. Saade, J. J. ,Diab, H. B.(2004).Defuzzification Methods and New Techniques for Fuzzy Controllers.IRANIAN JOURNAL OF ELECTRICAL AND COMPUTER ENGINEERING (IJECE)
11. Shameli-Sendi, A.,Aghababaei-Barzegar, R.,Cheriet, M.(2016).Taxonomy of Information Security Risk Assessment (Isra).Computers & security,57,14-30.
12. Zadeh, L. A.(1996).Fuzzy Sets, Fuzzy Logic, and Fuzzy Systems: Selected Papers.
13. 行政院 . 2018. " 資通安全管理法 ." from https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=A0030297