内部威胁安全体系结构及关键技术研究
|
摘要
目前,网络安全在入侵检测、防火墙、信息加密、访问控制等方面已取得长足进步,极大地帮助企业组织解决了外部发起的攻击。然而,这些控制和工具是针对Outsider Threat(外部威胁)设计的,是用来保障内部的信息网络安全,免受外部发动的攻击。但是它们在解决Insider Threat(内部威胁)方面,即内部攻击或滥用,基本上无能为力。
对于Insider Threat课题而言,这方面有意义的发表研究还是比较缺乏的,其研究的重要性尚未被广大的专家学者所普遍重视。本文以Insider Threat如何防御为课题,以最大程度减少Insider Threat风险为目的,对企业组织如何建立一个内部威胁防御体系结构及其关键技术进行了深入研究。
本文的研究成果包括以下内容:
第一,在当今的信息安全领域,并没有针对企业组织内部安全领域制定一个标准的、综合的完整性框架体系结构。本文从企业整体性的角度出发,在即重视技术问题的同时,又重视人和环境问题,设计了一个涉及多维度、多学科的整体性内部安全防御体系结构ITSDA。
第二,内部威胁是企业组织无法回避的安全难题,作为企业最贵重的信息资产——文档,是内部滥用的主要目标。以往的粗粒度安全策略,如最小权限原则、职责分离等,都不足以胜任文档安全化的内部威胁问题。本文提出一个新颖的文档信息流多级安全策略模型和信息流有向图模型,并给出了相关算法,对信息流通道进行动态约束,屏蔽相关的隐藏信息流通道,以保障文档操作环境的安全。
第三,当今的安全解决方案更多地集中在提供安全防御,而不是解决信息系统(Information System,简称IS)安全问题的起因。为了辅助企业组织构造出一个适合自身的充分安全系统,改变以往的被动防御方式,提出了一个启发企业安全需求的安全需求工程SREP。它与系统研发过程相集成,全面分析和收集安全需求,通过一个系统的方法将安全需求整合到软件工程过程中。
第四,本文通过对存在的一些内部威胁检测和预防模型的研究分析,针对存在的不足,提出了一种可定量的、可扩展的Insider Threat检测模型,能够直观地通过量化的手段提醒管理人员做出明智的决策,有效地检测内部用户的攻击行为。
Currently, substantial advances in network security, intrusion detection, firewall, information encryption, access control mechanisms, and so on, have substantially helped organizations repel externally initiated attacks. However, these controls and tools are designed to fight against outsider threat of organization network, and little progress in dealing with the insider threat, including insider attack and insider misuse, has occurred. Survey data shows that the most serious security breach and the most important economic damage are basically made by the insider threat from organizations.
Given the absence of any significant published research on this topic, the importance of research is still ignored by the large IT scholars. Any contributions made in this area will likely one day to be considered as seminal work. This paper not only point out the critical issues of the research, but also give some research clues.
By considering all security-related aspects of enterprises, the objective of this dissertation is to provide the integrated and overall security architecture (ITSDA) to address the insider threat, and then some related key technologies in security architecture will be researched thoroughly. The goal of this paper is to extremely mitigate business damage posed by the insider misuse or the insider attack, try to cease the insider threat initially, and reduce internal risk to a minimum.
Conducted researches of this dissertation mainly include: 1) Considering different characteristics and security obligation mechanisms of different industries, research on information security architecture of insider threat is submitted; 2) In view of the problem of information asset security in organizations, research on multi-level security policy model for document security is presented; 3) With regard to the elicitation of security requirements, research on security requirements engineering (SREP) based on software engineering process is provided; 4) For predicting and preventing insider threat, research on attack tree prediction model is proposed.
The main contributions and accomplishments of this dissertation are as follows:
1. A multi-dimensional, multi-disciplinary security architecture (ITSDA) is submitted.
In network security field, no standardized, comprehensive security architecture for insider threat currently exists. Many security professionals and managers in organizations generally have a severe misconception about the insider threat. They simply think that the insider threat will be resolved well if good techniques can be thoroughly adopted in all aspects or departments. It is very obvious that the understanding of the insider threat is partial. It is important to note that due to enterprise organizations’continuous developing, the insider threat will take on dynamic nature. From an overall point of view, organizations should not only pay attention to technical details, but also attach importance to people and environmental issues. Only in this way can the organization design the holistic security defense architecture. The security architecture ITSDA is constituted by the seven dimensions, and these dimensions represent the role of different functions. Especially, the seven dimensions form a feedback loop. Through mutual feedback, they can quickly respond to enterprise development and the insider threat’s dynamic features. They will jointly establish a dynamic, comprehensive internal security and defense architecture.
2. A novel multi-level security policy model based on document information flow is presented.
For enterprises, the security issue must be overcome is the insider threat. The most valuable information assets - documents are the main objectives of insider abuse. Previous coarse-grained security policies, such as the principle of least privilege, separation of duties, etc. are not sufficient to protect the security of documents. Through research of Lattice model, BLP model and Chinese-Wall model, this paper first defines the concept of document information flow, and then adopts the concept of security level in Lattice model. In addition, the paper makes similar rules for read and write of BLP model. Based on the above research, this dissertation presents a novel multi-level security policy model and an information flow graph model, and proposes related algorithms. The security policy can mix to use with other security policies, and add relevant static obligation rules. With the different context of operating environment, it will make dynamic constraint with the path of information flow. For operating documents’security, it will shield the related hidden path of information flow.
3. A security requirements engineering process SREP on eliciting security requirements from organizations is provided.
Current security solutions more concentrate in the methods of security and defense, rather than to resolve the causes of IS security issues. According to software engineering process and CC standards, in this paper, the issue of security requirements is asked for involvement in the beginning stages of research and development. Based on related research results, this dissertation presents a security requirements engineering process SREP. The software engineering process is applied to the security requirements process. The SREP consists of the following nine steps: 1) agree on definitions; 2) characterizing the system; 3) identifying critical assets and processes; 4) identifying system vulnerabilities; 5) identifying threats; 6) identifying security objectives and dependencies; 7) generating threat model; 8) risk assessment; 9) eliciting security requirements. To defend against potential insider threat, the above nine steps will help enterprises design a suitable complete security system.
4. A scalable predicting model for insider threat is proposed, and a probability generation algorithm for predicting attacks is provided.
To deter cracker activities, this paper introduces an improved structure of augmented attack tree and the notion of“minimal attack tree”, proposes the concept of“attack cost”and“attack weight”, and presents the generation algorithm of minimal attack tree. Based on the above research, this paper presents a novel insider threat model. One user must submit his intended system usage before he will login system. Then this forms the user’s session scope, and it is converted to a“SPRINT”(Signature Powered Revised Instruction Table) plan. By virtue of one user’s SPRINT plan and customized minimal attack tree, we can not only monitor the user’s activities online for preventing his malicious operations, but also monitor inside attack launched by utilizing system vulnerabilities when the user still abet the SPRINT plan. Especially, this paper introduces an estimator of attack probability, and it can help system administrators make sound decision by a quantitative approach. The approach can provide the system administrator an early warning so that he can fight for unwelcome unauthorized activities. The advantage of this approach is that it is a flexible and scalable technique for system security management.
For enterprise organizations, this research topic is not related to the economic value, but also related to the enterprise's reputation and image. The accomplishments of this paper enrich the research results related to insider threat. Related researches for insider threat, such as security defense architecture, multi-level security policy model, security requirements engineering and predicting and detecting model, have a high theoretical significance and application value.
对于Insider Threat课题而言,这方面有意义的发表研究还是比较缺乏的,其研究的重要性尚未被广大的专家学者所普遍重视。本文以Insider Threat如何防御为课题,以最大程度减少Insider Threat风险为目的,对企业组织如何建立一个内部威胁防御体系结构及其关键技术进行了深入研究。
本文的研究成果包括以下内容:
第一,在当今的信息安全领域,并没有针对企业组织内部安全领域制定一个标准的、综合的完整性框架体系结构。本文从企业整体性的角度出发,在即重视技术问题的同时,又重视人和环境问题,设计了一个涉及多维度、多学科的整体性内部安全防御体系结构ITSDA。
第二,内部威胁是企业组织无法回避的安全难题,作为企业最贵重的信息资产——文档,是内部滥用的主要目标。以往的粗粒度安全策略,如最小权限原则、职责分离等,都不足以胜任文档安全化的内部威胁问题。本文提出一个新颖的文档信息流多级安全策略模型和信息流有向图模型,并给出了相关算法,对信息流通道进行动态约束,屏蔽相关的隐藏信息流通道,以保障文档操作环境的安全。
第三,当今的安全解决方案更多地集中在提供安全防御,而不是解决信息系统(Information System,简称IS)安全问题的起因。为了辅助企业组织构造出一个适合自身的充分安全系统,改变以往的被动防御方式,提出了一个启发企业安全需求的安全需求工程SREP。它与系统研发过程相集成,全面分析和收集安全需求,通过一个系统的方法将安全需求整合到软件工程过程中。
第四,本文通过对存在的一些内部威胁检测和预防模型的研究分析,针对存在的不足,提出了一种可定量的、可扩展的Insider Threat检测模型,能够直观地通过量化的手段提醒管理人员做出明智的决策,有效地检测内部用户的攻击行为。
Currently, substantial advances in network security, intrusion detection, firewall, information encryption, access control mechanisms, and so on, have substantially helped organizations repel externally initiated attacks. However, these controls and tools are designed to fight against outsider threat of organization network, and little progress in dealing with the insider threat, including insider attack and insider misuse, has occurred. Survey data shows that the most serious security breach and the most important economic damage are basically made by the insider threat from organizations.
Given the absence of any significant published research on this topic, the importance of research is still ignored by the large IT scholars. Any contributions made in this area will likely one day to be considered as seminal work. This paper not only point out the critical issues of the research, but also give some research clues.
By considering all security-related aspects of enterprises, the objective of this dissertation is to provide the integrated and overall security architecture (ITSDA) to address the insider threat, and then some related key technologies in security architecture will be researched thoroughly. The goal of this paper is to extremely mitigate business damage posed by the insider misuse or the insider attack, try to cease the insider threat initially, and reduce internal risk to a minimum.
Conducted researches of this dissertation mainly include: 1) Considering different characteristics and security obligation mechanisms of different industries, research on information security architecture of insider threat is submitted; 2) In view of the problem of information asset security in organizations, research on multi-level security policy model for document security is presented; 3) With regard to the elicitation of security requirements, research on security requirements engineering (SREP) based on software engineering process is provided; 4) For predicting and preventing insider threat, research on attack tree prediction model is proposed.
The main contributions and accomplishments of this dissertation are as follows:
1. A multi-dimensional, multi-disciplinary security architecture (ITSDA) is submitted.
In network security field, no standardized, comprehensive security architecture for insider threat currently exists. Many security professionals and managers in organizations generally have a severe misconception about the insider threat. They simply think that the insider threat will be resolved well if good techniques can be thoroughly adopted in all aspects or departments. It is very obvious that the understanding of the insider threat is partial. It is important to note that due to enterprise organizations’continuous developing, the insider threat will take on dynamic nature. From an overall point of view, organizations should not only pay attention to technical details, but also attach importance to people and environmental issues. Only in this way can the organization design the holistic security defense architecture. The security architecture ITSDA is constituted by the seven dimensions, and these dimensions represent the role of different functions. Especially, the seven dimensions form a feedback loop. Through mutual feedback, they can quickly respond to enterprise development and the insider threat’s dynamic features. They will jointly establish a dynamic, comprehensive internal security and defense architecture.
2. A novel multi-level security policy model based on document information flow is presented.
For enterprises, the security issue must be overcome is the insider threat. The most valuable information assets - documents are the main objectives of insider abuse. Previous coarse-grained security policies, such as the principle of least privilege, separation of duties, etc. are not sufficient to protect the security of documents. Through research of Lattice model, BLP model and Chinese-Wall model, this paper first defines the concept of document information flow, and then adopts the concept of security level in Lattice model. In addition, the paper makes similar rules for read and write of BLP model. Based on the above research, this dissertation presents a novel multi-level security policy model and an information flow graph model, and proposes related algorithms. The security policy can mix to use with other security policies, and add relevant static obligation rules. With the different context of operating environment, it will make dynamic constraint with the path of information flow. For operating documents’security, it will shield the related hidden path of information flow.
3. A security requirements engineering process SREP on eliciting security requirements from organizations is provided.
Current security solutions more concentrate in the methods of security and defense, rather than to resolve the causes of IS security issues. According to software engineering process and CC standards, in this paper, the issue of security requirements is asked for involvement in the beginning stages of research and development. Based on related research results, this dissertation presents a security requirements engineering process SREP. The software engineering process is applied to the security requirements process. The SREP consists of the following nine steps: 1) agree on definitions; 2) characterizing the system; 3) identifying critical assets and processes; 4) identifying system vulnerabilities; 5) identifying threats; 6) identifying security objectives and dependencies; 7) generating threat model; 8) risk assessment; 9) eliciting security requirements. To defend against potential insider threat, the above nine steps will help enterprises design a suitable complete security system.
4. A scalable predicting model for insider threat is proposed, and a probability generation algorithm for predicting attacks is provided.
To deter cracker activities, this paper introduces an improved structure of augmented attack tree and the notion of“minimal attack tree”, proposes the concept of“attack cost”and“attack weight”, and presents the generation algorithm of minimal attack tree. Based on the above research, this paper presents a novel insider threat model. One user must submit his intended system usage before he will login system. Then this forms the user’s session scope, and it is converted to a“SPRINT”(Signature Powered Revised Instruction Table) plan. By virtue of one user’s SPRINT plan and customized minimal attack tree, we can not only monitor the user’s activities online for preventing his malicious operations, but also monitor inside attack launched by utilizing system vulnerabilities when the user still abet the SPRINT plan. Especially, this paper introduces an estimator of attack probability, and it can help system administrators make sound decision by a quantitative approach. The approach can provide the system administrator an early warning so that he can fight for unwelcome unauthorized activities. The advantage of this approach is that it is a flexible and scalable technique for system security management.
For enterprise organizations, this research topic is not related to the economic value, but also related to the enterprise's reputation and image. The accomplishments of this paper enrich the research results related to insider threat. Related researches for insider threat, such as security defense architecture, multi-level security policy model, security requirements engineering and predicting and detecting model, have a high theoretical significance and application value.
引文
[1] G. B. Magklaras,S. M. Furnell, A preliminary model of end user sophistication for insider threat prediction in IT systems [J], Computers and Security, 2005, vol. 24(5), pp. 371-380.
[2] T. Tuglular,E. H. Spafford, A Framework for Characterization of Insider Computer Misuse [R], Purdue University, 1997.
[3] E. E. Schultz,R. Shumway, Incident response: A strategic guide for system and network security breaches [R], Indianapolis: New Riders, 2001.
[4] N. Einwechter, Preventing and detecting insider attacks using IDS [EB/OL], http://online.securityfocus.com/infocus/1558, 2002.
[5] M. Theoharidou, S. Kokolakis, M. Karyda, et al., The insider threat to information systems and the effectiveness of ISO17799 [J], Computers and Security, 2005, vol. 24(6), pp. 472-484.
[6] DTI,PriceWaterhouseCoopers, Information Security Breaches Survey 2004- Technical Report [R], PriceWaterhouseCoopers, 2004.
[7] DTI,PriceWaterhouseCoopers, Information Security Breaches Survey 2006- Technical Report [R], PriceWaterhouseCoopers, 2006.
[8] L. A. Gordon, M. P. Loeb, W. Lucyshyn, et al., 2005 CSI/FBI Computer Crime and Security Survey [R], Computer Security Institute, 2005.
[9] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, et al., 2006 CSI/FBI Computer Crime and Security Survey [R], Computer Security Institute, 2006.
[10] R. Richardson, 2007 CSI Computer Crime and Security Survey [R], Computer Security Institute, 2007.
[11] M. R. Randazzo, M. Keeney, E. Kowalski, et al., Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector [R], U.S. Secret Service and CERT Coordination Center, 2005.
[12] M. Keeney, E. Kowalski, D. Cappelli, et al., Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors [R], U.S. Secret Service and CERT Coordination Center, 2005.
[13] An Analysis of Real-World Cases and Best Practices for Prevention [EB/OL],http://www.rsaconference.com/uploadedFiles/RSA365/ESAF/2007_Mid-Year_Meeting_Archives/ESAF_Oct%2007_Proceedings_Insider_Threat.pdf, 2007.
[14] E. Schultz, The human factor in security [J], Computers & Security, 2005(24), pp. 425-426.
[15] E. E. Schultz, A framework for understanding and predicting insider attacks [J], Computers and Security, 2002, vol. 21(6), pp. 526-531.
[16] J. P. Anderson, Computer Security Threat Monitoring and Surveillance [R], James P. Anderson Co., 1980.
[17] P. G. Neumann, The challenges of insider misuse [C], in Proceedings of the workshop on preventing, detecting and responding to malicious insider misuse, Santa Monica, 1999.
[18] T. Tuglular, A preliminary Structural Approach to Insider Computer Misuse Incidents [C], in EICAR 2000 Best Paper Proceedings, 2000, pp. 105-125.
[19] F. Cohen, Information System Attacks: A Preliminary Classification Scheme [J], Computers & Security, 1997, vol. 16(1), pp. 29-46.
[20] G. B. Magklaras,S. M. Furnell, Insider Threat Prediction Tool:Evaluating the probability of IT misuse [J], Computers & Security, 2002, vol. 21(1), pp. 62-73.
[21] C. Meadows, A Representation of Protocol Attacks for Risk Assessment [C], in DIMACS Series in Discrete Mathematics and Theoretical Computer Science: Network Threats, R. N. Wright and P. G. Neumann,editors, 1998.
[22] C. Phillips,L. P. Swiler, A Graph-Based System For Network-Vulnerability Analysis [C], in Proceedings of 1998 New Security ParadigmsWorkshop, Charlottesville,Virginia, 1998, pp. 71-79.
[23] O. Sheyner, J. Haines, S. Jha, et al., Automated generation and analysis of attack graphs [C], in Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Berkeley, CA, 2002, pp. 273-284.
[24] L. P. Swiler, C. Phillips, D. Ellis, et al., Computer-Attack Graph Generation Tool [C], in DARPA Information Survivability Conference and Exposition (DISCEX 11'01), 2001.
[25] M. Dacier,Y. Deswarte, Privilege graph: an extension to the typed access matrix model [C], in ESORICS, 1994, pp. 319-334.
[26] R. Ortalo, Y. Dewarte,M. Kaaniche, Experimenting With Quantitative Evaluation Tools For Monitoring Operation Security [J], IEEE Transactions on Software Engineering, 1999, vol. 25(5), pp. 633-650.
[27] D. B. Parker, Fighting computer crime: a new framework for protecting information [R], NY: John Wiley and Sons, 1998.
[28] B. Wood, An insider threat model for adversary simulation [C], in Proceedings of the Workshop with title "Research on Mitigating the Insider Threat to Information Systems",Arlington VA, 2000.
[29] E. D. Shaw, The insider threat to information systems [J], Security Awareness Bulletin, 1998, vol. 2(98), pp. 27-46.
[30] G B Magklaras,S M Furnell, A preliminary model of end user sophistication for insider threat prediction in IT systems [J], Computers & Security, 2005, vol. 24(5), pp. 371-380.
[31] R. Chinchani, A. Iyer, H. Q. Ngo, et al., Towards A Theory Of Insider Threat Assessment [C], in IEEE International Conference on Dependable Systems and Networks (DSN 2005), Yokohama, Japan, 2005.
[32] D. Porter, Insider fraud: spotting the wolf in sheep's clothing [J], Computer Fraud and Security, 2003, vol. 2003(4), pp. 12-15.
[33] J. Lee,Y. Lee, A holistic model of computer abuse within organizations [J], Information Management and Computer Security, 2002, vol. 10(2), pp. 57-63.
[34] C. Beccaria, On crime and punishments [R], Indianapolis, IN: Bobbs Merril, 1963.
[35] A. Blumstein, Deterrence and incapacitation: estimating the effects of criminal sanctions on crime rates [R], Washington,DC: National Academy of Sciences, 1978.
[36] D. W. Straub, Effective IS security: an empirical study [J], Information System Research, 1990, vol. 1(3), pp. 255-276.
[37] D. W. Straub,R. J. Welke, Coping with systems risk: security planning models for management decision making [J], MIS Quarterly, 1998, vol. 22(4), pp. 441-465.
[38] Department of Defense,Insider Threat Integrated Process Team(DoD-ITIPT), DoD insider threat mitigation. [R], U.S. Department of Defense, 2000.
[39] T. Hirschi, Causes of delinquency [C], in University of California Press, Berkeley, CA, 1969.
[40] R. Agnew, Testing the leading crime theories: an alternative strategy focusing on motivational process [J], Research in Crime and Delinquency, 1995, vol. 32(4), pp. 363-398.
[41] Y. Vardi,Y. Wiener, Misbehavior in organisations: a motivational framework [J], Organization Science, 1996, vol. 7(2), pp. 151-165.
[42] R. C. Hollinger, Acts against the workplace: social bonding and employee deviance [J], Deviant Behaviour, 1986, vol. 7, pp. 53-75.
[43] S. M. Lee, S. Lee,Y. Sangjin, An integrative model of computer abuse based on social control and general deterrence theories [J], Information and Management, 2003, vol. 41(6), pp. 707-718.
[44] E. Sutherland, Criminology [R], Philadelphia: J.B. Lippincott, 1924.
[45] R. L. Akers, Deviant behavior: a social learning perspective [R], Belmont, CA, 1977.
[46] W. F. Skinner,A. M. Fream, A social learning theory analysis of computer abuse amongcollege students [J], Research in Crime and Delinquency, 1997, vol. 34(4), pp. 495-518.
[47] R. C. Hollinger, Crime by computer: correlates of software piracy and unauthorized account access [J], Security Journal, 1993, vol. 4(1), pp. 2-12.
[48] I. Ajzen,M. Fishbein, Understanding attitudes and predicting social behaviour [R], Englewood Cliffs, NJ: Prentice-Hall, 1980.
[49] I. Ajzen, Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behaviour [J], Journal of Applied Social Psychology, 2002, vol. 32, pp. 665-683.
[50] J. Leach, Improving user security behaviour [J], Computers and Security, 2003, vol. 22(8), pp. 685-692.
[51] R. Willison, Understanding and addressing criminal opportunity:the application of situational crime prevention to IS security [C], in Working Paper Series 100, Department of Information Systems, London School of Economics and Political Science, 2001.
[52] R. Willison, Understanding the offender/environment dynamic for computer crimes: assessing the feasibility of pplying criminological theory to the IS security context [C], in Proceedings of the 37th Hawaii international conference on system sciences, 2004.
[53] R. V. Clarke, Situational crime prevention: theory and practice [J], British Journal of Criminology, 1980, vol. 20, pp. 136-137.
[54] Information security management systems - Specification with guidance for use [S], BSI, 2002.
[55] D. Trcek, An integral framework for information systems security management [J], Computers & Security, 2003, vol. 22 (4), pp. 337-360.
[56] J. Rees, S. Bandyopadhyay,E. H. Spafford, PFIRES: A Policy Framework for Information Security [J], Communications of the ACM 2003, vol. 46 (7 ), pp. 101-106.
[57]王辉,刘淑芬,张欣佳,信息系统“Insider threat”分析及其解决方案[J],吉林大学学报(工学版), 2006, vol. 36(5), pp. 809-813.
[58] BS, ISO 17799: Information technology, Security techniques, Code of practice for information security management [R], 2000.
[59] M. Kemp, Barbarians inside the gates: Addressing internal security threats [J], Network Security, 2005, vol. 2005(6), pp. 11-13.
[60] Y. Yu,J. C. Chiueh, Display-only file server: A solution against information theft due to insider attack [C], Washington, DC, United States, 2004, pp. 31-39.
[61] H. H. Thompson, J. A. Whittaker,M. Andrews, Intrusion detection: perspectives on the insider threat [J], Computer Fraud & Security, 2004, vol. 2004(1), pp. 13-15.
[62] J. S. Park,S. M. Ho, Composite Role-Based Monitoring (CRBM) for Countering Insider Threats [M], in Intelligence and Security Informatics, 2004, pp. 201-213.
[63] Thompson,J. A. Whittaker, Testing for software security [J], Dr. Dobbs Journal, 2002, pp.24-34.
[64] J. A. Whittaker,A. D. Vivanco, Neutralizing Windows-based malicious mobile code [C], in Proceedings of the 17th ACM Software Applications Conference (ACM-SAC), 2002.
[65] META Securitygroup, metagroup.com meta group architecture [EB/OL], http://www.metasecuritygroup.com/library/views/0635.html, 2003.
[66] California Department of Corrections and Rehabilitation, Information Security Architecture [EB/OL], 2006.
[67] J. K. Tudor, Information Security Architecture [C], in Proceedings of the 26th International Conference on Software Engineering, 2000.
[68] T. Grobler,B. Louwrens, New Information Security Architecture [EB/OL], http://icsa.cs.up.ac.za/issa/2005/Proceedings/Research/046_Article.pdf,
[69] S. H. Vonsolms, Corporate Governance and Information Security [J], Computers and Security, 2001, vol. 20(3).
[70] KING II REPORT ON CORPORATE GOVERNANCE., [EB/OL], http://iodsa.co.za/lod%20Draft%20King%20Report.pdf, 2000.
[71] T. Patterson, Holistic Security:Why Doing More Can Cost You Less and Lower Your Risk [J], Computer Fraud & Security, 2003, vol. 2003(6), pp. 13-15.
[72] J. H. P. Eloff,M. M. Eloff, Information security architecture [J], Computer Fraud & Security, 2005, pp. 10-16.
[73]王辉,刘淑芬,一种可扩展的Insider Threat预测模型[J],计算机学报, 2006, vol. 29(8), pp. 1346-1355.
[74] K. Bell,L. J. LaPadula, Secure computer systems : Unified exposition and multics interpretation [R], MITRE Corporation ,Tech Rep : MTR22997, 1976.
[75] D. E. Bell,L. J. LaPadula, SeeureComPuterSystemMathematieal Foundation [R], Mitereopr:Bedofrd,MA., 1973.
[76] D. Denning, A Lattice Model of Secure Information Flow [J], Communications of the ACM, 1976, vol. 19(5), pp. 236-243.
[77] D. Brewer,M. Nash, The Chinese Wall security policy [C], in Proceedings of the IEEE Symposium on Research in Security and Privacy, Los Alamitos,CA : IEEE Computer Society Press, 1989, pp. 206-214.
[78]冷健,安全管理和安全策略研究与设计[D],长沙:湖南大学, 2006.
[79] M. Abadi, M. Burrows, B. Lampson, et al., A Calculus for Access Control in Distributed Systems [J], ACM Transactions on Programming Languages and Systems,, 1993, vol. 4(15), pp. 706-734.
[80] E. Bertino, C. Bettini,E. Ferrari, An Access Control Model Supporting Periodicity Constraints and Temporal Reasoning [J], ACM Transactions on Database Systems, 1998,vol. 23(3), pp. 231-285.
[81] P. Samarati,S. Vimercati, Access Control:Policies,Models,and Mechanisms [C], in Foundations of Security Analysis and Design(Tutorial Lectures), R.Focardi and R.Gorrieri eds, 2000, pp. 137-196.
[82] E. C. Lupu,M. S. Sloman, Conflicts in Policy-Based Distributed Systems Management [J], IEEE Transactions on Software Engineering-Special Issue on Inconsistency Management, 1999, vol. 25(6), pp. 852-869.
[83] K. Biba, Integrity Considerations for Secure Computer Systems [R], Technical Report MTR-3153,MITRE Corporation, 1977.
[84] R. S. Sandhu, E. J. Coyne,H. L. Feinstein, Role-Based Access Control Models [J], IEEE Computer, 1996, vol. 29(2), pp. 38-47.
[85] D. F. Ferraiolo, D. R. Kuhn,R. Chandramouli, Role Based Access Control [R], Artech House, 2003.
[86] S. Pramanik, V. Sankaranarayanan,S. Upadhyaya, Security Policies to Mitigate Insider Threat in the Document Control Domain [C], in Proceedings of the 20th Annual Computer Security Applications Conference, 2004.
[87] C. B. Haley, R. Laney, J. D. Moffett, et al., Security Requirements Engineering: A Framework for Representation and Analysis [J], IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2008, vol. 34(1), pp. 133-153.
[88] J. D. Moffett, C.B. Haley,B. Nuseibeh, Core Security Requirements Artefacts [R], Dept. of Computing, The Open Univ., 2004.
[89] C. B. Haley, J. D. Moffett, R. Laney, et al., A Framework for Security Requirements Engineering [C], in Proc. 2006 Software Eng. for Secure Systems Workshop, 2006, pp. 35-41.
[90] C. B. Haley, R. C. Laney, J. D. Moffett, et al., The Effect of Trust Assumptions on the Elaboration of Security Requirements [C], in Proc. 12th Int'l Requirements Eng. Conf., 2004, pp. 102-111.
[91] C. B. Haley, R. C. Laney, J. D. Moffett, et al., Using Trust Assumptions with Security Requirements [J], Requirements Engineering, 2006, vol. 11(2), pp. 138-151.
[92] C. B. Haley, R. C. Laney,B. Nuseibeh, Deriving Security Requirements from Crosscutting Threat Descriptions [C], in Proc. Third Int'l Conf. Aspect-Oriented Software Development, 2004, pp. 112-121.
[93] C. B. Haley, J. D. Moffett, R. Laney, et al., Arguing Security: Validating Security Requirements Using Structured Argumentation [C], in Proc. Third Symp. Requirements Eng. for Information Security with the 13th Int'l Requirements Eng. Conf., 2005.
[94] C. B. Haley, R. C. Laney, J. D. Moffett, et al., Arguing Satisfaction of SecurityRequirements [R], Integrating Security and Software Eng.: Advances and Future Vision, Idea Group, 2006.
[95] J. Viega, T. Kohno,B. Potter, Trust (and Mistrust) in Secure Applications [J], Comm. ACM, 2001, vol. 44(2), pp. 31-36.
[96] D. Mellado, F. M. Eduardo,M. Piattini, Applying a Security Requirements Engineering Process [C], in ESORICS 2006,LNCS 4189, 2006, pp. 192-206.
[97] E. Yu, Towards Modelling and Reasoning Support for Early-Phase Requirements Engineering [C], in 3rd IEEE International Symposium on Requirements Engineering (RE'97), 1997, pp. 226-235.
[98] A. Toval, J. Nicolas, B. Moros, et al., Requirements Reuse for Improving Information Systems Security: A Practitioner's Approach [J], Requirements Engineering Journal 2001, pp. 205-219.
[99] G. Popp, J. Jurjens, G. Wimmel, et al., Security-Critical System Development with Extended Use Cases [C], in 10th Asia-Pacific Software Engineering Conference, 2003, pp. 478-487.
[100] D. G. Firesmith, Security Use Cases [J], Journal of Object Technology, 2003, pp. 53-64.
[101] R. Breu, K. Burger, M. Hafner, et al., Towards a Systematic Development of Secure Systems [C], in Proceedings WOSIS 2004, 2004, pp. 1-12.
[102] ISO/IEC JTC1/SC27, Information technology - Security techniques - Evaluation criteria for IT security [S], ISO/IEC 15408:2005 (Common Criteria v3.0), 2005.
[103] ISO/IEC JTC1/SC27, Information technology - Security techniques - Code of practice for information security management [S], ISO/IEC 17799, 2005.
[104] I. Alexander, Misuse cases: Use cases with hostile intent [J], IEEE Software, 2003, pp. 58-66.
[105] J. McDermott,C. Fox, Using abuse case models for security requirements analysis [C], in Proc. Annual Computer Security Applications Conference (ACSAC'99), 1999.
[106] J. Jurjens, UMLsec: Extending UML for secure systems development [C], in UML 2002, 2002.
[107] S. C. Seo, J. H. You, Y. D. Kim, et al., Building security requirements using state transition diagram at security threat location [C], in International Conference on Computational Intelligence and Security, CIS 2005, 2005, pp. 451-456.
[108] Alfonso Rodríguez, Eduardo Fernández-Medina,Mario Piattini, Capturing Security Requirements in Business Processes Through a UML 2.0 Activity Diagrams Profile [C], in ER Workshops 2006, LNCS 4231, 2006, pp. 32-42.
[109] Sang soo Choi, So yeon Kim,Gang soo Lee, Enhanced Misuse Case Model: A Security Requirement Analysis and Specification Model [C], in ICCSA 2006, LNCS 3984, 2006,pp. 618-625.
[110] N. R. Mead,T. Stehney, Security Quality Requirements Engineering (SQUARE) Methodology [C], in Proceedings of the 2005 workshop on software engineering for secure systems--builing trustworthy aplications, Missouri, USA, 2005, pp. 1-7.
[111] IEEE, Guide to the Software Engineering Body of Knowledge [EB/OL], http://www.swebok.org/, 2005.
[112] IEEE Std 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology [S], Los Alamitos, CA: IEEE Computer Society Press, 1990.
[113] Wikipedia: The Free Encyclopedia [EB/OL], http://www.wikipedia.org/, 2005.
[114] DoD-5200.28-STD, Trusted Computer System Evaluation Criteria [S], U.S.A. Department of Defense, 1985.
[115] ISO/IEC JTC1/SC27, Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management [S], ISO/IEC 13335, 2004.
[116] Common Criteria Editorial Board, Common Criteria for Information Technology Security Evaluations [R], 1998.
[117] G. Stoneburner, A. Goguen,A. Feringa, Risk Management Guide for Information Technology Systems [R], National Institute Of Standards and Technology, 2002.
[118] S. Myagmar, A. J. Lee,W. Yurcik, Threat Modeling as a Basis for Security Requirements [J].
[119] F. Swiderski,W. Snyder, Threat Modeling [M]: Microsoft Press, 2004.
[120] CERT CC, CERT/CC Statistics 1988-2005 [EB/OL], http://www.cert.org/stats/cert_stats.html, 2006.
[121] IT Governance Institute, CobiT 4.0 - Control Objectives for Information and related Technology [R], 2005.
[122] A. Schaad, A Framework for Organisational Control Principles [R], University of York, Department of Computer Science, 2003.
[123] COSO, Internal Control - Integrated Framework by Committee on Sponsoring Organizations of the Treadway Commission [EB/OL], www.coso.org, 1994.
[124] IT Governance Institute, IT Control Objectives for Sarbanes-Oxley, The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting - 2nd Edition [R], 2006.
[125] A. Schaad,J. D. Moffett, A Framework for Organisational Control Principles [C], in ACSAC'02: Proceedings of the 18th Annual Computer Security Applications Conference, Washington, DC, USA, 2002.
[126] M. V. Hayden, The Insider Threat to U.S. Government Information Systems [R], Advisory Memoranda NSTISSAM INFOSEC 1-99, 1999.
[127] D. Cappelli,A. Moore, Common Sense Guide to Prevention and Detection of Insider Threat [EB/OL], http://www.us-cert.gov/reading_room/prevent_detect_insiderthreat0504.pdf, 2005.
[128] B. Schneier, Attack Trees: Modeling Security Threats [EB/OL], http://www.schneier.com/paper-attacktrees-ddj-ft.html, 1999.
[129] A. P. Moore, R. J. Ellison,R. C. Linger, Attack Modeling for Information Security and Survivability [R], 2001.
[130] E. J. Byres, M. Franz,D. Miller, The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems [C], in International Infrastructure Survivability Workshop (IISW'04), Lisbon, Portugal, 2004.
[131] I. Ray,N. Poolsapassit, Using attack trees to identify malicious attacks from authorized insiders [C], in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Milan, Italy, 2005, pp. 231-246.
[132] V. N. L. Franqueira,P. V. Eck, Defense against Insider Threat: a Framework Gathering Goal-based Requirements [R], University of Twente, 2006.
[133] A. Buldas, P. Laud, J. Priisalu, et al., Rational Choice of Security Measures Via Multi-parameter Attack Trees [C], in CRITIS 2006, 2006, pp. 235-248.
[134] J. B. Odubiyi,C. W. O'Brien, Information Security Attack Tree Modeling [C], in Seventh Workshop on Education in Computer Security (WECS7), Monterey, California, 2006, pp. 29-37.
[135] T. Tidwell, R. Larson, K. Fitch, et al., Modeling Internet Attacks [C], in Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 2001, pp. 54-59.
[136] A. V. Lamsweerde, S. Brohez, R. D. Landtsheer, et al., From System Goals to Intruder Anti-Goals:Attack Generation and Resolution for Security Requirements Engineering [C], in Proceedings of the RE'Workshop on Requirements for High Assurance Systems (RHAS'03), Monterey (CA), 2003.
[137] O. Sheyner,J. Wing, Tools for generating and analysing attack graphs [C], in Proceeding of Formal Methods for Components and Objects, 2004.
[138] S. W. Lee, R. A. Gandhi,G. J. Ahn, Security Requirements Driven Risk Assessment for Critical Infrastructure Information Systems [C], in Proceedings of the 13th IEEE International Requirements Engineering Conference (RE'05), 2005.
[139] J. Mylopoulos, L. Chung, S. Liao, et al., Exploring Alternatives During RequirementsAnalysis [J], IEEE Software, 2001, vol. 1(18), pp. 92-96.
[140] A. P. Moore, R. J. Ellison,R. C. Linger, Attack Modeling for Informnation Security and Survivability [R], Carnegie Mellon Software Engineering Institute, Pittsburgh, PA, USA, 2001.
[141] R. C. Brackney,R. H. Anderson, Undersatanding the Insider Threat [C], in Proceedings of a March 2004 Workshop. First edn. RAND Corporation, California, USA, 2004.
[142] D. M. Cappelli, A. G. Desai, A. P. Moore, et al., Management and Education of the Risk of Insider Threat [C], in Proc. 24th Int. Conference of the System Dynamics Society, The Netherlands,Radboud University of Nijmegen, 2006.
[143] G. Sindre, D. G. Firesmith,A. L. Opdahl, A reuse-based approach to determining security requirements [C], in 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03), Klagenfurt/Velden,Austria, 2003.
[144] G. Sindre,A. L. Opdahl, Eliciting security requirements by misuse cases [C], in 37th International Conference on Technology of Object-Oriented Languages and Systems (TOOLS-Pacific 2000), Sydney, Australia, 2000, pp. 120-131.
[145] G. Sindre,A. L. Opdahl, Capturing security requirements through misuse cases [C], in Norsk Informatikkonferanse (NIK), Troms?, Norway, 2001.
[146] G. Sindre,A. L. Opdahl, Templates for misuse case description [C], in Seventh International Workshop on Requirements Engineering: Foundation of Software Quality (REFSQ'2001), Interlaken, Switzerland, 2001.
[147] G. Sindre,A. L. Opdahl, Eliciting security requirments with misuse cases [J], Requirements Engineering, 2005, vol. 10(1), pp. 34-44.
[148] G. Sindre, A. L. Opdahl,G. F. Brevik., Generalization/specialization as a structuring mechanism for misuse cases [C], in 2nd Symposium on Requirements Engineering for Information Security (SREIS'02), Raleigh,NC,USA, 2002.
[149] G. P. A. Group,J. S. Cigital, Defining Misuse within the Development Process [J], IEEE SECURITY & PRIVACY, 2006, pp. 81-84.
[150]谷勇浩,信息系统风险管理理论及关键技术研究[D],北京:北京邮电大学, 2007.
[151]胡勇,网络信息系统风险评估方法研究[D],成都:四川大学, 2007.
[152]钱鸿生,基于风险管理的软件生命周期模型研究[D],上海:同济大学, 2006.
[153]吴世忠,基于风险管理的信息安全保障的研究[D],成都:四川大学, 2002.
[154]肖龙,信息系统风险分析与量化评估[D],成都:四川大学, 2006.
[155]陈光,信息系统信息安全风险管理方法研究[D],长沙:国防科技大学, 2006.
[156] J. P.Kindinger,J. L. Darby, Risk Factor Analysis - A New Qualitative Risk Management Tool [C], in Proeeedings of the Project Management Institute Annual Seminars & SymPosium, Houston,Texas,USA, 2000.
[157] J. A. Jones, An Introduction to Factor Analysis of Information Risk (FAIR): A framework for understanding,analyzing and measuring information risk [J], Norwich University Journal of Information Assurance, 2006, vol. 2(1).
[158] M. B. Miles,A. M. Hubermar, Qualitative data analysis,2nd ed. [M]: Newbury Park,Cal:Sage, 1994.
[159] A. L. Strauss, Qualitative analysis for social scientists [M]: New York:Cambridge University Press, 1987.
[160]张义荣,鲜明,王国玉,一种基于网络熵的计算机网络攻击效果定量评估方法[J],通信学报, 2004, vol. 25(11), pp. 158-165.
[161] Y. Yang, B. Boehm,D. Wu, COCOTS risk analyzer [C], in Fifth International Conference on Commercial-off-the-Shelf(COTS)-Based Software Systems, 2006.
[162] Y. Yang, B. Boehm,B. Clark, Assessing COTS integration risk using cost estimation inputs [C], in Proceeding of the 28th international conference on Software engineering, Shanghai,China,ACM Press, 2006, pp. 431-438.
[163] O. Helme, Social Technology [M]: Basic Book,New York, 1966.
[164] T. J. Gordon,J. C. Glenn, Issues in Creating the Millennium Project:Initial RePort from the Millennium Project Feasibility Study [R], United Nations University, 1993.
[165] J. P. Spradley, Participant observation [M]: Fort Worth:Harcourt Brace, 1980.
[166] J. Lofland,L. H. Lofland, Analyzing social settings,3rd Ed [M]: Belmont,Cal.:Wadsworth, 1995.
[167] J. Katz, A theory of qualitative methodology [R], Contemporary field research, Prospect Heights,III.:Waveland, 1983.
[168] J. P. Gee, Diseourse analysis [M], in The handbook of qualitative research in education(chapter 6): San Diego:Academic Press, 1992.
[169] F. I. Khan, Knowledge-based expert system framework to conduct offshore process HAZOP study [C], in 2005 IEEE International Conference on Systems,Man and Cybernetics, 2005, pp. 2274-2280.
[170] B. C. Soh, T. S. Dillon,P. County, Quantitative risk assessment of computer virus attaeks on computer networks [J], Computer Networks and ISDN Systems, ACM Press, 1995.
[171] D. Shoemaker, A quantitative risk assessment model for the management of software projects [J], Practicing software engineering in the 21st century,Idea Group Publishing, 2003, pp. 97-115.
[172] C. Lee,D. A. Landgrebe, Analyzing High-Dimensional Multispectral Data [J], IEEE Transactions Geosci,Remote Sensing, 1993, vol. 31(4), pp. 792-800.
[173] M. A. Carreira-Perpinan, Continuous Latent Variable Models for Dimensionality Reduction and Sequential Data Reconstruction [D]: Ph.D Thesis, 2001.
[174] Oxford UK, Multivariate Analysis-Faetor Analysis and Principal Component [R], The Numberical Algorithms Group Ltd, 2000.
[175] K. Y. Yeung,W. L. Ruzzo, Principal Component Analysis for Clustering Gene Expression Data [J], Bioinformatics,Oxford University Press, 2001, vol. 7(9), pp. 763-774.
[176] Lin Kuan-Ming,Lin Chih-Jen, A study on reduced support vector machines [J], IEEE Transaction on Neural Networks, 2003, vol. 14(6), pp. 1449-1459.
[177] Yong Chen,C. Jense, Risk Probability Estimating Based on Clustering [C], in Proceedings of the 4th IEEE Annual Information Assurance Workshop, New York,U.S.A, 2003.
[178] Li Yan-Hai,Sun Lin-Yan, Study and applications of data mining to the structure risk analysis of customs declaration cargo [J], IEEE International Conference on e-Business Engineering, 2005, pp. 761-764.
[179] M. Sato一Ilic, Weighted principal component analysis for interval-valued data based on fuzzy clustering [C], in IEEE International Conferenee on Systems,Man and Cybernetics, 2003, pp. 4476-4482.
[180] K. R. Muller, S. Mika,G. Ratsch, An Introduction to Kernel-based Learning Algorithms [J], IEEE Transaction on Neural Networks, 2001, vol. 12(2), pp. 181-201.
[181] D. Y. Koo, A practical timing-risk analysis method [J], Reliability and Maintainability Symposium, 1994, pp. 210-215.
[182] V. Cherkassky,F. Mulier, Model Complexity Control for Regression using VC Generalization Bounds [J], IEEE Transaction on Neural Networks, 1999, vol. 10(5), pp. 1075-1089.
[183] S. E. Schechter, Toward econometric models of the security risk from remote attacks [J], Security and Privacy Magazine,IEEE, 2005, vol. 3(1), pp. 40-44.
[184] M. Sahinoglu, Security meter:a practical decision-tree model to quantify risk [J], Security and Privacy Magazine,IEEE, 2005, vol. 3(3), pp. 18-24.
[185] P. P. Shenoy, A comparsion of graphical techniques for decision analysis [J], European Journal of Operational Research, 1994, vol. 78(1), pp. 1-21.
[186] C. Cardie, Using decision trees to improve case - based learning [C], in Proceedings of the Tenth International Conference on Machine Learning, 1993, pp. 25-32.
[187] T. L. Saaty, The Analytic Hierarchy Process:Planning,Priorty Setting,Resource Allocation [M]. New York:McGraw-Hill, 1980.
[188] A. A. Salo,R. P. Hamalainen, On the measurement of preferences in the analytic hierarchy process [J], Journal of Multi-Criteria Decision Analysis, 1997, vol. 11(6), pp. 309-319.
[189] M. A. Mustafa,J. Fai-Bahar, Project risk assessment using the analytic hierarchy process[J], IEEE Transactions on Engineering Management, 1991, vol. 38(1), pp. 46-52.
[190] F. Tuysuz,C. Kahraman, Project risk evaluation using a fuzzy analytic hierarchy process:An application to information technology projects [J], International Journal of Intelligent Systems, 2006, vol. 21(6), pp. 559-584.
[191] I. Millet,C. William, Modeling risk and uncertainty with the analytic hierarchy process [J], Journal of Multi-Criteria Decision Analysis, 2002, vol. 11(2), pp. 97-107.
[192] D. M. Buede,D. T. Maxwell, Rank disagreement: A comoparison of multi-criteria methodologies [J], Journal of Multi-Criteria Decision Analysis, 1995, vol. 4(1), pp. 1-21.
[193] R. Chinchani, S. Upadhyaya,K. Kwiat, Towards the scalable implementation of a user level anomaly detection system [C], in Proceedings - IEEE Military Communications Conference MILCOM, Anaheim, CA, United States, 2002, pp. 1503-1508.
[194] S. Upadhyaya, R. Chinchani,K. Kwiat, An analytical framework for reasoning about intrusions [C], New Orleans, LA, 2001, pp. 99-105.
[195] T. R. Ingoldsby, Understanding risk through attack tree analysis [J], Computer Security Journal, 2004, vol. 20(2), pp. 33-59.
[196] Ga Xiang,Yuan-Da Cao, Generating IDS attack pattern automatically based on attack tree [J], Journal of Beijing Institute of Technology (English Edition), 2003, vol. 12(2), pp. 138-142.
[197] P. Ammann, D. Wijesekera,S. Kaushik, Scalable, graph-based network vulnerability analysis [C], in Proceedings of the ACM Conference on Computer and Communications Security, Washington, DC, United States, 2002, pp. 217-224.
[198] S. Jha, O. Sheyner,J. M. Wing, Two formal analyses of attack graphs [C], in Proceedings of the 2002 Computer Security Foundations Workshop, Nova Scotia, 2002, pp. 45-59.
[2] T. Tuglular,E. H. Spafford, A Framework for Characterization of Insider Computer Misuse [R], Purdue University, 1997.
[3] E. E. Schultz,R. Shumway, Incident response: A strategic guide for system and network security breaches [R], Indianapolis: New Riders, 2001.
[4] N. Einwechter, Preventing and detecting insider attacks using IDS [EB/OL], http://online.securityfocus.com/infocus/1558, 2002.
[5] M. Theoharidou, S. Kokolakis, M. Karyda, et al., The insider threat to information systems and the effectiveness of ISO17799 [J], Computers and Security, 2005, vol. 24(6), pp. 472-484.
[6] DTI,PriceWaterhouseCoopers, Information Security Breaches Survey 2004- Technical Report [R], PriceWaterhouseCoopers, 2004.
[7] DTI,PriceWaterhouseCoopers, Information Security Breaches Survey 2006- Technical Report [R], PriceWaterhouseCoopers, 2006.
[8] L. A. Gordon, M. P. Loeb, W. Lucyshyn, et al., 2005 CSI/FBI Computer Crime and Security Survey [R], Computer Security Institute, 2005.
[9] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, et al., 2006 CSI/FBI Computer Crime and Security Survey [R], Computer Security Institute, 2006.
[10] R. Richardson, 2007 CSI Computer Crime and Security Survey [R], Computer Security Institute, 2007.
[11] M. R. Randazzo, M. Keeney, E. Kowalski, et al., Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector [R], U.S. Secret Service and CERT Coordination Center, 2005.
[12] M. Keeney, E. Kowalski, D. Cappelli, et al., Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors [R], U.S. Secret Service and CERT Coordination Center, 2005.
[13] An Analysis of Real-World Cases and Best Practices for Prevention [EB/OL],http://www.rsaconference.com/uploadedFiles/RSA365/ESAF/2007_Mid-Year_Meeting_Archives/ESAF_Oct%2007_Proceedings_Insider_Threat.pdf, 2007.
[14] E. Schultz, The human factor in security [J], Computers & Security, 2005(24), pp. 425-426.
[15] E. E. Schultz, A framework for understanding and predicting insider attacks [J], Computers and Security, 2002, vol. 21(6), pp. 526-531.
[16] J. P. Anderson, Computer Security Threat Monitoring and Surveillance [R], James P. Anderson Co., 1980.
[17] P. G. Neumann, The challenges of insider misuse [C], in Proceedings of the workshop on preventing, detecting and responding to malicious insider misuse, Santa Monica, 1999.
[18] T. Tuglular, A preliminary Structural Approach to Insider Computer Misuse Incidents [C], in EICAR 2000 Best Paper Proceedings, 2000, pp. 105-125.
[19] F. Cohen, Information System Attacks: A Preliminary Classification Scheme [J], Computers & Security, 1997, vol. 16(1), pp. 29-46.
[20] G. B. Magklaras,S. M. Furnell, Insider Threat Prediction Tool:Evaluating the probability of IT misuse [J], Computers & Security, 2002, vol. 21(1), pp. 62-73.
[21] C. Meadows, A Representation of Protocol Attacks for Risk Assessment [C], in DIMACS Series in Discrete Mathematics and Theoretical Computer Science: Network Threats, R. N. Wright and P. G. Neumann,editors, 1998.
[22] C. Phillips,L. P. Swiler, A Graph-Based System For Network-Vulnerability Analysis [C], in Proceedings of 1998 New Security ParadigmsWorkshop, Charlottesville,Virginia, 1998, pp. 71-79.
[23] O. Sheyner, J. Haines, S. Jha, et al., Automated generation and analysis of attack graphs [C], in Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, Berkeley, CA, 2002, pp. 273-284.
[24] L. P. Swiler, C. Phillips, D. Ellis, et al., Computer-Attack Graph Generation Tool [C], in DARPA Information Survivability Conference and Exposition (DISCEX 11'01), 2001.
[25] M. Dacier,Y. Deswarte, Privilege graph: an extension to the typed access matrix model [C], in ESORICS, 1994, pp. 319-334.
[26] R. Ortalo, Y. Dewarte,M. Kaaniche, Experimenting With Quantitative Evaluation Tools For Monitoring Operation Security [J], IEEE Transactions on Software Engineering, 1999, vol. 25(5), pp. 633-650.
[27] D. B. Parker, Fighting computer crime: a new framework for protecting information [R], NY: John Wiley and Sons, 1998.
[28] B. Wood, An insider threat model for adversary simulation [C], in Proceedings of the Workshop with title "Research on Mitigating the Insider Threat to Information Systems",Arlington VA, 2000.
[29] E. D. Shaw, The insider threat to information systems [J], Security Awareness Bulletin, 1998, vol. 2(98), pp. 27-46.
[30] G B Magklaras,S M Furnell, A preliminary model of end user sophistication for insider threat prediction in IT systems [J], Computers & Security, 2005, vol. 24(5), pp. 371-380.
[31] R. Chinchani, A. Iyer, H. Q. Ngo, et al., Towards A Theory Of Insider Threat Assessment [C], in IEEE International Conference on Dependable Systems and Networks (DSN 2005), Yokohama, Japan, 2005.
[32] D. Porter, Insider fraud: spotting the wolf in sheep's clothing [J], Computer Fraud and Security, 2003, vol. 2003(4), pp. 12-15.
[33] J. Lee,Y. Lee, A holistic model of computer abuse within organizations [J], Information Management and Computer Security, 2002, vol. 10(2), pp. 57-63.
[34] C. Beccaria, On crime and punishments [R], Indianapolis, IN: Bobbs Merril, 1963.
[35] A. Blumstein, Deterrence and incapacitation: estimating the effects of criminal sanctions on crime rates [R], Washington,DC: National Academy of Sciences, 1978.
[36] D. W. Straub, Effective IS security: an empirical study [J], Information System Research, 1990, vol. 1(3), pp. 255-276.
[37] D. W. Straub,R. J. Welke, Coping with systems risk: security planning models for management decision making [J], MIS Quarterly, 1998, vol. 22(4), pp. 441-465.
[38] Department of Defense,Insider Threat Integrated Process Team(DoD-ITIPT), DoD insider threat mitigation. [R], U.S. Department of Defense, 2000.
[39] T. Hirschi, Causes of delinquency [C], in University of California Press, Berkeley, CA, 1969.
[40] R. Agnew, Testing the leading crime theories: an alternative strategy focusing on motivational process [J], Research in Crime and Delinquency, 1995, vol. 32(4), pp. 363-398.
[41] Y. Vardi,Y. Wiener, Misbehavior in organisations: a motivational framework [J], Organization Science, 1996, vol. 7(2), pp. 151-165.
[42] R. C. Hollinger, Acts against the workplace: social bonding and employee deviance [J], Deviant Behaviour, 1986, vol. 7, pp. 53-75.
[43] S. M. Lee, S. Lee,Y. Sangjin, An integrative model of computer abuse based on social control and general deterrence theories [J], Information and Management, 2003, vol. 41(6), pp. 707-718.
[44] E. Sutherland, Criminology [R], Philadelphia: J.B. Lippincott, 1924.
[45] R. L. Akers, Deviant behavior: a social learning perspective [R], Belmont, CA, 1977.
[46] W. F. Skinner,A. M. Fream, A social learning theory analysis of computer abuse amongcollege students [J], Research in Crime and Delinquency, 1997, vol. 34(4), pp. 495-518.
[47] R. C. Hollinger, Crime by computer: correlates of software piracy and unauthorized account access [J], Security Journal, 1993, vol. 4(1), pp. 2-12.
[48] I. Ajzen,M. Fishbein, Understanding attitudes and predicting social behaviour [R], Englewood Cliffs, NJ: Prentice-Hall, 1980.
[49] I. Ajzen, Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behaviour [J], Journal of Applied Social Psychology, 2002, vol. 32, pp. 665-683.
[50] J. Leach, Improving user security behaviour [J], Computers and Security, 2003, vol. 22(8), pp. 685-692.
[51] R. Willison, Understanding and addressing criminal opportunity:the application of situational crime prevention to IS security [C], in Working Paper Series 100, Department of Information Systems, London School of Economics and Political Science, 2001.
[52] R. Willison, Understanding the offender/environment dynamic for computer crimes: assessing the feasibility of pplying criminological theory to the IS security context [C], in Proceedings of the 37th Hawaii international conference on system sciences, 2004.
[53] R. V. Clarke, Situational crime prevention: theory and practice [J], British Journal of Criminology, 1980, vol. 20, pp. 136-137.
[54] Information security management systems - Specification with guidance for use [S], BSI, 2002.
[55] D. Trcek, An integral framework for information systems security management [J], Computers & Security, 2003, vol. 22 (4), pp. 337-360.
[56] J. Rees, S. Bandyopadhyay,E. H. Spafford, PFIRES: A Policy Framework for Information Security [J], Communications of the ACM 2003, vol. 46 (7 ), pp. 101-106.
[57]王辉,刘淑芬,张欣佳,信息系统“Insider threat”分析及其解决方案[J],吉林大学学报(工学版), 2006, vol. 36(5), pp. 809-813.
[58] BS, ISO 17799: Information technology, Security techniques, Code of practice for information security management [R], 2000.
[59] M. Kemp, Barbarians inside the gates: Addressing internal security threats [J], Network Security, 2005, vol. 2005(6), pp. 11-13.
[60] Y. Yu,J. C. Chiueh, Display-only file server: A solution against information theft due to insider attack [C], Washington, DC, United States, 2004, pp. 31-39.
[61] H. H. Thompson, J. A. Whittaker,M. Andrews, Intrusion detection: perspectives on the insider threat [J], Computer Fraud & Security, 2004, vol. 2004(1), pp. 13-15.
[62] J. S. Park,S. M. Ho, Composite Role-Based Monitoring (CRBM) for Countering Insider Threats [M], in Intelligence and Security Informatics, 2004, pp. 201-213.
[63] Thompson,J. A. Whittaker, Testing for software security [J], Dr. Dobbs Journal, 2002, pp.24-34.
[64] J. A. Whittaker,A. D. Vivanco, Neutralizing Windows-based malicious mobile code [C], in Proceedings of the 17th ACM Software Applications Conference (ACM-SAC), 2002.
[65] META Securitygroup, metagroup.com meta group architecture [EB/OL], http://www.metasecuritygroup.com/library/views/0635.html, 2003.
[66] California Department of Corrections and Rehabilitation, Information Security Architecture [EB/OL], 2006.
[67] J. K. Tudor, Information Security Architecture [C], in Proceedings of the 26th International Conference on Software Engineering, 2000.
[68] T. Grobler,B. Louwrens, New Information Security Architecture [EB/OL], http://icsa.cs.up.ac.za/issa/2005/Proceedings/Research/046_Article.pdf,
[69] S. H. Vonsolms, Corporate Governance and Information Security [J], Computers and Security, 2001, vol. 20(3).
[70] KING II REPORT ON CORPORATE GOVERNANCE., [EB/OL], http://iodsa.co.za/lod%20Draft%20King%20Report.pdf, 2000.
[71] T. Patterson, Holistic Security:Why Doing More Can Cost You Less and Lower Your Risk [J], Computer Fraud & Security, 2003, vol. 2003(6), pp. 13-15.
[72] J. H. P. Eloff,M. M. Eloff, Information security architecture [J], Computer Fraud & Security, 2005, pp. 10-16.
[73]王辉,刘淑芬,一种可扩展的Insider Threat预测模型[J],计算机学报, 2006, vol. 29(8), pp. 1346-1355.
[74] K. Bell,L. J. LaPadula, Secure computer systems : Unified exposition and multics interpretation [R], MITRE Corporation ,Tech Rep : MTR22997, 1976.
[75] D. E. Bell,L. J. LaPadula, SeeureComPuterSystemMathematieal Foundation [R], Mitereopr:Bedofrd,MA., 1973.
[76] D. Denning, A Lattice Model of Secure Information Flow [J], Communications of the ACM, 1976, vol. 19(5), pp. 236-243.
[77] D. Brewer,M. Nash, The Chinese Wall security policy [C], in Proceedings of the IEEE Symposium on Research in Security and Privacy, Los Alamitos,CA : IEEE Computer Society Press, 1989, pp. 206-214.
[78]冷健,安全管理和安全策略研究与设计[D],长沙:湖南大学, 2006.
[79] M. Abadi, M. Burrows, B. Lampson, et al., A Calculus for Access Control in Distributed Systems [J], ACM Transactions on Programming Languages and Systems,, 1993, vol. 4(15), pp. 706-734.
[80] E. Bertino, C. Bettini,E. Ferrari, An Access Control Model Supporting Periodicity Constraints and Temporal Reasoning [J], ACM Transactions on Database Systems, 1998,vol. 23(3), pp. 231-285.
[81] P. Samarati,S. Vimercati, Access Control:Policies,Models,and Mechanisms [C], in Foundations of Security Analysis and Design(Tutorial Lectures), R.Focardi and R.Gorrieri eds, 2000, pp. 137-196.
[82] E. C. Lupu,M. S. Sloman, Conflicts in Policy-Based Distributed Systems Management [J], IEEE Transactions on Software Engineering-Special Issue on Inconsistency Management, 1999, vol. 25(6), pp. 852-869.
[83] K. Biba, Integrity Considerations for Secure Computer Systems [R], Technical Report MTR-3153,MITRE Corporation, 1977.
[84] R. S. Sandhu, E. J. Coyne,H. L. Feinstein, Role-Based Access Control Models [J], IEEE Computer, 1996, vol. 29(2), pp. 38-47.
[85] D. F. Ferraiolo, D. R. Kuhn,R. Chandramouli, Role Based Access Control [R], Artech House, 2003.
[86] S. Pramanik, V. Sankaranarayanan,S. Upadhyaya, Security Policies to Mitigate Insider Threat in the Document Control Domain [C], in Proceedings of the 20th Annual Computer Security Applications Conference, 2004.
[87] C. B. Haley, R. Laney, J. D. Moffett, et al., Security Requirements Engineering: A Framework for Representation and Analysis [J], IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2008, vol. 34(1), pp. 133-153.
[88] J. D. Moffett, C.B. Haley,B. Nuseibeh, Core Security Requirements Artefacts [R], Dept. of Computing, The Open Univ., 2004.
[89] C. B. Haley, J. D. Moffett, R. Laney, et al., A Framework for Security Requirements Engineering [C], in Proc. 2006 Software Eng. for Secure Systems Workshop, 2006, pp. 35-41.
[90] C. B. Haley, R. C. Laney, J. D. Moffett, et al., The Effect of Trust Assumptions on the Elaboration of Security Requirements [C], in Proc. 12th Int'l Requirements Eng. Conf., 2004, pp. 102-111.
[91] C. B. Haley, R. C. Laney, J. D. Moffett, et al., Using Trust Assumptions with Security Requirements [J], Requirements Engineering, 2006, vol. 11(2), pp. 138-151.
[92] C. B. Haley, R. C. Laney,B. Nuseibeh, Deriving Security Requirements from Crosscutting Threat Descriptions [C], in Proc. Third Int'l Conf. Aspect-Oriented Software Development, 2004, pp. 112-121.
[93] C. B. Haley, J. D. Moffett, R. Laney, et al., Arguing Security: Validating Security Requirements Using Structured Argumentation [C], in Proc. Third Symp. Requirements Eng. for Information Security with the 13th Int'l Requirements Eng. Conf., 2005.
[94] C. B. Haley, R. C. Laney, J. D. Moffett, et al., Arguing Satisfaction of SecurityRequirements [R], Integrating Security and Software Eng.: Advances and Future Vision, Idea Group, 2006.
[95] J. Viega, T. Kohno,B. Potter, Trust (and Mistrust) in Secure Applications [J], Comm. ACM, 2001, vol. 44(2), pp. 31-36.
[96] D. Mellado, F. M. Eduardo,M. Piattini, Applying a Security Requirements Engineering Process [C], in ESORICS 2006,LNCS 4189, 2006, pp. 192-206.
[97] E. Yu, Towards Modelling and Reasoning Support for Early-Phase Requirements Engineering [C], in 3rd IEEE International Symposium on Requirements Engineering (RE'97), 1997, pp. 226-235.
[98] A. Toval, J. Nicolas, B. Moros, et al., Requirements Reuse for Improving Information Systems Security: A Practitioner's Approach [J], Requirements Engineering Journal 2001, pp. 205-219.
[99] G. Popp, J. Jurjens, G. Wimmel, et al., Security-Critical System Development with Extended Use Cases [C], in 10th Asia-Pacific Software Engineering Conference, 2003, pp. 478-487.
[100] D. G. Firesmith, Security Use Cases [J], Journal of Object Technology, 2003, pp. 53-64.
[101] R. Breu, K. Burger, M. Hafner, et al., Towards a Systematic Development of Secure Systems [C], in Proceedings WOSIS 2004, 2004, pp. 1-12.
[102] ISO/IEC JTC1/SC27, Information technology - Security techniques - Evaluation criteria for IT security [S], ISO/IEC 15408:2005 (Common Criteria v3.0), 2005.
[103] ISO/IEC JTC1/SC27, Information technology - Security techniques - Code of practice for information security management [S], ISO/IEC 17799, 2005.
[104] I. Alexander, Misuse cases: Use cases with hostile intent [J], IEEE Software, 2003, pp. 58-66.
[105] J. McDermott,C. Fox, Using abuse case models for security requirements analysis [C], in Proc. Annual Computer Security Applications Conference (ACSAC'99), 1999.
[106] J. Jurjens, UMLsec: Extending UML for secure systems development [C], in UML 2002, 2002.
[107] S. C. Seo, J. H. You, Y. D. Kim, et al., Building security requirements using state transition diagram at security threat location [C], in International Conference on Computational Intelligence and Security, CIS 2005, 2005, pp. 451-456.
[108] Alfonso Rodríguez, Eduardo Fernández-Medina,Mario Piattini, Capturing Security Requirements in Business Processes Through a UML 2.0 Activity Diagrams Profile [C], in ER Workshops 2006, LNCS 4231, 2006, pp. 32-42.
[109] Sang soo Choi, So yeon Kim,Gang soo Lee, Enhanced Misuse Case Model: A Security Requirement Analysis and Specification Model [C], in ICCSA 2006, LNCS 3984, 2006,pp. 618-625.
[110] N. R. Mead,T. Stehney, Security Quality Requirements Engineering (SQUARE) Methodology [C], in Proceedings of the 2005 workshop on software engineering for secure systems--builing trustworthy aplications, Missouri, USA, 2005, pp. 1-7.
[111] IEEE, Guide to the Software Engineering Body of Knowledge [EB/OL], http://www.swebok.org/, 2005.
[112] IEEE Std 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology [S], Los Alamitos, CA: IEEE Computer Society Press, 1990.
[113] Wikipedia: The Free Encyclopedia [EB/OL], http://www.wikipedia.org/, 2005.
[114] DoD-5200.28-STD, Trusted Computer System Evaluation Criteria [S], U.S.A. Department of Defense, 1985.
[115] ISO/IEC JTC1/SC27, Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management [S], ISO/IEC 13335, 2004.
[116] Common Criteria Editorial Board, Common Criteria for Information Technology Security Evaluations [R], 1998.
[117] G. Stoneburner, A. Goguen,A. Feringa, Risk Management Guide for Information Technology Systems [R], National Institute Of Standards and Technology, 2002.
[118] S. Myagmar, A. J. Lee,W. Yurcik, Threat Modeling as a Basis for Security Requirements [J].
[119] F. Swiderski,W. Snyder, Threat Modeling [M]: Microsoft Press, 2004.
[120] CERT CC, CERT/CC Statistics 1988-2005 [EB/OL], http://www.cert.org/stats/cert_stats.html, 2006.
[121] IT Governance Institute, CobiT 4.0 - Control Objectives for Information and related Technology [R], 2005.
[122] A. Schaad, A Framework for Organisational Control Principles [R], University of York, Department of Computer Science, 2003.
[123] COSO, Internal Control - Integrated Framework by Committee on Sponsoring Organizations of the Treadway Commission [EB/OL], www.coso.org, 1994.
[124] IT Governance Institute, IT Control Objectives for Sarbanes-Oxley, The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting - 2nd Edition [R], 2006.
[125] A. Schaad,J. D. Moffett, A Framework for Organisational Control Principles [C], in ACSAC'02: Proceedings of the 18th Annual Computer Security Applications Conference, Washington, DC, USA, 2002.
[126] M. V. Hayden, The Insider Threat to U.S. Government Information Systems [R], Advisory Memoranda NSTISSAM INFOSEC 1-99, 1999.
[127] D. Cappelli,A. Moore, Common Sense Guide to Prevention and Detection of Insider Threat [EB/OL], http://www.us-cert.gov/reading_room/prevent_detect_insiderthreat0504.pdf, 2005.
[128] B. Schneier, Attack Trees: Modeling Security Threats [EB/OL], http://www.schneier.com/paper-attacktrees-ddj-ft.html, 1999.
[129] A. P. Moore, R. J. Ellison,R. C. Linger, Attack Modeling for Information Security and Survivability [R], 2001.
[130] E. J. Byres, M. Franz,D. Miller, The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems [C], in International Infrastructure Survivability Workshop (IISW'04), Lisbon, Portugal, 2004.
[131] I. Ray,N. Poolsapassit, Using attack trees to identify malicious attacks from authorized insiders [C], in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Milan, Italy, 2005, pp. 231-246.
[132] V. N. L. Franqueira,P. V. Eck, Defense against Insider Threat: a Framework Gathering Goal-based Requirements [R], University of Twente, 2006.
[133] A. Buldas, P. Laud, J. Priisalu, et al., Rational Choice of Security Measures Via Multi-parameter Attack Trees [C], in CRITIS 2006, 2006, pp. 235-248.
[134] J. B. Odubiyi,C. W. O'Brien, Information Security Attack Tree Modeling [C], in Seventh Workshop on Education in Computer Security (WECS7), Monterey, California, 2006, pp. 29-37.
[135] T. Tidwell, R. Larson, K. Fitch, et al., Modeling Internet Attacks [C], in Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 2001, pp. 54-59.
[136] A. V. Lamsweerde, S. Brohez, R. D. Landtsheer, et al., From System Goals to Intruder Anti-Goals:Attack Generation and Resolution for Security Requirements Engineering [C], in Proceedings of the RE'Workshop on Requirements for High Assurance Systems (RHAS'03), Monterey (CA), 2003.
[137] O. Sheyner,J. Wing, Tools for generating and analysing attack graphs [C], in Proceeding of Formal Methods for Components and Objects, 2004.
[138] S. W. Lee, R. A. Gandhi,G. J. Ahn, Security Requirements Driven Risk Assessment for Critical Infrastructure Information Systems [C], in Proceedings of the 13th IEEE International Requirements Engineering Conference (RE'05), 2005.
[139] J. Mylopoulos, L. Chung, S. Liao, et al., Exploring Alternatives During RequirementsAnalysis [J], IEEE Software, 2001, vol. 1(18), pp. 92-96.
[140] A. P. Moore, R. J. Ellison,R. C. Linger, Attack Modeling for Informnation Security and Survivability [R], Carnegie Mellon Software Engineering Institute, Pittsburgh, PA, USA, 2001.
[141] R. C. Brackney,R. H. Anderson, Undersatanding the Insider Threat [C], in Proceedings of a March 2004 Workshop. First edn. RAND Corporation, California, USA, 2004.
[142] D. M. Cappelli, A. G. Desai, A. P. Moore, et al., Management and Education of the Risk of Insider Threat [C], in Proc. 24th Int. Conference of the System Dynamics Society, The Netherlands,Radboud University of Nijmegen, 2006.
[143] G. Sindre, D. G. Firesmith,A. L. Opdahl, A reuse-based approach to determining security requirements [C], in 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03), Klagenfurt/Velden,Austria, 2003.
[144] G. Sindre,A. L. Opdahl, Eliciting security requirements by misuse cases [C], in 37th International Conference on Technology of Object-Oriented Languages and Systems (TOOLS-Pacific 2000), Sydney, Australia, 2000, pp. 120-131.
[145] G. Sindre,A. L. Opdahl, Capturing security requirements through misuse cases [C], in Norsk Informatikkonferanse (NIK), Troms?, Norway, 2001.
[146] G. Sindre,A. L. Opdahl, Templates for misuse case description [C], in Seventh International Workshop on Requirements Engineering: Foundation of Software Quality (REFSQ'2001), Interlaken, Switzerland, 2001.
[147] G. Sindre,A. L. Opdahl, Eliciting security requirments with misuse cases [J], Requirements Engineering, 2005, vol. 10(1), pp. 34-44.
[148] G. Sindre, A. L. Opdahl,G. F. Brevik., Generalization/specialization as a structuring mechanism for misuse cases [C], in 2nd Symposium on Requirements Engineering for Information Security (SREIS'02), Raleigh,NC,USA, 2002.
[149] G. P. A. Group,J. S. Cigital, Defining Misuse within the Development Process [J], IEEE SECURITY & PRIVACY, 2006, pp. 81-84.
[150]谷勇浩,信息系统风险管理理论及关键技术研究[D],北京:北京邮电大学, 2007.
[151]胡勇,网络信息系统风险评估方法研究[D],成都:四川大学, 2007.
[152]钱鸿生,基于风险管理的软件生命周期模型研究[D],上海:同济大学, 2006.
[153]吴世忠,基于风险管理的信息安全保障的研究[D],成都:四川大学, 2002.
[154]肖龙,信息系统风险分析与量化评估[D],成都:四川大学, 2006.
[155]陈光,信息系统信息安全风险管理方法研究[D],长沙:国防科技大学, 2006.
[156] J. P.Kindinger,J. L. Darby, Risk Factor Analysis - A New Qualitative Risk Management Tool [C], in Proeeedings of the Project Management Institute Annual Seminars & SymPosium, Houston,Texas,USA, 2000.
[157] J. A. Jones, An Introduction to Factor Analysis of Information Risk (FAIR): A framework for understanding,analyzing and measuring information risk [J], Norwich University Journal of Information Assurance, 2006, vol. 2(1).
[158] M. B. Miles,A. M. Hubermar, Qualitative data analysis,2nd ed. [M]: Newbury Park,Cal:Sage, 1994.
[159] A. L. Strauss, Qualitative analysis for social scientists [M]: New York:Cambridge University Press, 1987.
[160]张义荣,鲜明,王国玉,一种基于网络熵的计算机网络攻击效果定量评估方法[J],通信学报, 2004, vol. 25(11), pp. 158-165.
[161] Y. Yang, B. Boehm,D. Wu, COCOTS risk analyzer [C], in Fifth International Conference on Commercial-off-the-Shelf(COTS)-Based Software Systems, 2006.
[162] Y. Yang, B. Boehm,B. Clark, Assessing COTS integration risk using cost estimation inputs [C], in Proceeding of the 28th international conference on Software engineering, Shanghai,China,ACM Press, 2006, pp. 431-438.
[163] O. Helme, Social Technology [M]: Basic Book,New York, 1966.
[164] T. J. Gordon,J. C. Glenn, Issues in Creating the Millennium Project:Initial RePort from the Millennium Project Feasibility Study [R], United Nations University, 1993.
[165] J. P. Spradley, Participant observation [M]: Fort Worth:Harcourt Brace, 1980.
[166] J. Lofland,L. H. Lofland, Analyzing social settings,3rd Ed [M]: Belmont,Cal.:Wadsworth, 1995.
[167] J. Katz, A theory of qualitative methodology [R], Contemporary field research, Prospect Heights,III.:Waveland, 1983.
[168] J. P. Gee, Diseourse analysis [M], in The handbook of qualitative research in education(chapter 6): San Diego:Academic Press, 1992.
[169] F. I. Khan, Knowledge-based expert system framework to conduct offshore process HAZOP study [C], in 2005 IEEE International Conference on Systems,Man and Cybernetics, 2005, pp. 2274-2280.
[170] B. C. Soh, T. S. Dillon,P. County, Quantitative risk assessment of computer virus attaeks on computer networks [J], Computer Networks and ISDN Systems, ACM Press, 1995.
[171] D. Shoemaker, A quantitative risk assessment model for the management of software projects [J], Practicing software engineering in the 21st century,Idea Group Publishing, 2003, pp. 97-115.
[172] C. Lee,D. A. Landgrebe, Analyzing High-Dimensional Multispectral Data [J], IEEE Transactions Geosci,Remote Sensing, 1993, vol. 31(4), pp. 792-800.
[173] M. A. Carreira-Perpinan, Continuous Latent Variable Models for Dimensionality Reduction and Sequential Data Reconstruction [D]: Ph.D Thesis, 2001.
[174] Oxford UK, Multivariate Analysis-Faetor Analysis and Principal Component [R], The Numberical Algorithms Group Ltd, 2000.
[175] K. Y. Yeung,W. L. Ruzzo, Principal Component Analysis for Clustering Gene Expression Data [J], Bioinformatics,Oxford University Press, 2001, vol. 7(9), pp. 763-774.
[176] Lin Kuan-Ming,Lin Chih-Jen, A study on reduced support vector machines [J], IEEE Transaction on Neural Networks, 2003, vol. 14(6), pp. 1449-1459.
[177] Yong Chen,C. Jense, Risk Probability Estimating Based on Clustering [C], in Proceedings of the 4th IEEE Annual Information Assurance Workshop, New York,U.S.A, 2003.
[178] Li Yan-Hai,Sun Lin-Yan, Study and applications of data mining to the structure risk analysis of customs declaration cargo [J], IEEE International Conference on e-Business Engineering, 2005, pp. 761-764.
[179] M. Sato一Ilic, Weighted principal component analysis for interval-valued data based on fuzzy clustering [C], in IEEE International Conferenee on Systems,Man and Cybernetics, 2003, pp. 4476-4482.
[180] K. R. Muller, S. Mika,G. Ratsch, An Introduction to Kernel-based Learning Algorithms [J], IEEE Transaction on Neural Networks, 2001, vol. 12(2), pp. 181-201.
[181] D. Y. Koo, A practical timing-risk analysis method [J], Reliability and Maintainability Symposium, 1994, pp. 210-215.
[182] V. Cherkassky,F. Mulier, Model Complexity Control for Regression using VC Generalization Bounds [J], IEEE Transaction on Neural Networks, 1999, vol. 10(5), pp. 1075-1089.
[183] S. E. Schechter, Toward econometric models of the security risk from remote attacks [J], Security and Privacy Magazine,IEEE, 2005, vol. 3(1), pp. 40-44.
[184] M. Sahinoglu, Security meter:a practical decision-tree model to quantify risk [J], Security and Privacy Magazine,IEEE, 2005, vol. 3(3), pp. 18-24.
[185] P. P. Shenoy, A comparsion of graphical techniques for decision analysis [J], European Journal of Operational Research, 1994, vol. 78(1), pp. 1-21.
[186] C. Cardie, Using decision trees to improve case - based learning [C], in Proceedings of the Tenth International Conference on Machine Learning, 1993, pp. 25-32.
[187] T. L. Saaty, The Analytic Hierarchy Process:Planning,Priorty Setting,Resource Allocation [M]. New York:McGraw-Hill, 1980.
[188] A. A. Salo,R. P. Hamalainen, On the measurement of preferences in the analytic hierarchy process [J], Journal of Multi-Criteria Decision Analysis, 1997, vol. 11(6), pp. 309-319.
[189] M. A. Mustafa,J. Fai-Bahar, Project risk assessment using the analytic hierarchy process[J], IEEE Transactions on Engineering Management, 1991, vol. 38(1), pp. 46-52.
[190] F. Tuysuz,C. Kahraman, Project risk evaluation using a fuzzy analytic hierarchy process:An application to information technology projects [J], International Journal of Intelligent Systems, 2006, vol. 21(6), pp. 559-584.
[191] I. Millet,C. William, Modeling risk and uncertainty with the analytic hierarchy process [J], Journal of Multi-Criteria Decision Analysis, 2002, vol. 11(2), pp. 97-107.
[192] D. M. Buede,D. T. Maxwell, Rank disagreement: A comoparison of multi-criteria methodologies [J], Journal of Multi-Criteria Decision Analysis, 1995, vol. 4(1), pp. 1-21.
[193] R. Chinchani, S. Upadhyaya,K. Kwiat, Towards the scalable implementation of a user level anomaly detection system [C], in Proceedings - IEEE Military Communications Conference MILCOM, Anaheim, CA, United States, 2002, pp. 1503-1508.
[194] S. Upadhyaya, R. Chinchani,K. Kwiat, An analytical framework for reasoning about intrusions [C], New Orleans, LA, 2001, pp. 99-105.
[195] T. R. Ingoldsby, Understanding risk through attack tree analysis [J], Computer Security Journal, 2004, vol. 20(2), pp. 33-59.
[196] Ga Xiang,Yuan-Da Cao, Generating IDS attack pattern automatically based on attack tree [J], Journal of Beijing Institute of Technology (English Edition), 2003, vol. 12(2), pp. 138-142.
[197] P. Ammann, D. Wijesekera,S. Kaushik, Scalable, graph-based network vulnerability analysis [C], in Proceedings of the ACM Conference on Computer and Communications Security, Washington, DC, United States, 2002, pp. 217-224.
[198] S. Jha, O. Sheyner,J. M. Wing, Two formal analyses of attack graphs [C], in Proceedings of the 2002 Computer Security Foundations Workshop, Nova Scotia, 2002, pp. 45-59.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |