系统安全工程能力成熟模型安全度量研究.pdfVIP

第 35 卷 第 3 期 哈 尔 滨 工 业 大 学 学 报 VoI. 35 No. 3 2 0 0 3 年 3 月 JOURNAL OF HARBIN INSTITUTE OF TECHNOLOGY Mar. ，2003 系统安全工程能力成熟模型安全度量研究 崔宝灵，张 洁，杨 昌 （哈尔滨工业大学 管理学院，黑龙江 哈尔滨 150001） 摘 要：为解决在应用系统安全工程能力成熟模型（SSE-CMM）过程中如何度量其应用效果的问题，从两个 不同的角度讨论了度量 SSE - CMM 的应用效果的方法. 阐述了“过程度量”和“安全度量”的定义和发展， 以及如何对它们进行分组和识别. 研究结果表明，安全度量是衡量系统安全状态和运行能力、SSE - CMM 过 程域实施效果的重要工??. 关键词：系统安全工程能力成熟模型；过程度量；安全度量 中图分类号：X913 . 4 文献标识码：A 文章编号：0367 - 6234（2003）03 - 0293 - 05 Security metrics for systems security engineering capability maturity model CUI Bao-Iing，ZHANG Jie，YANG Chang （SchooI of Management，Harbin Institute of TechnoIogy，Harbin 150001，China） Abstract：A systems security engineering capabiIity maturity modeI（SSE - CMM）is used to describe the es- sentiaI characteristics of an organization’s security engineering process to ensure good security engineering. A common guestion posed in using the SSE - CMM is，how to know if these processes wiII resuIt in a more secure system or operationaI capabiIity. To answer this guestion，this paper approaches the guestion from two different perspectives using metrics as a basis for the answer. The metrics are divided into two kinds：process metrics and security metrics. Then the paper gives the definition and deveIopment of metrics and discusses how to group and identify them. Then one concIusion can be drawn：a security metri is an important tooI to measure the security status，operationaI capabiIity of a system and the effects of SSE - CMM process areas. Key words：systems security engineering capabiIity maturity modeI；process metrics；security metrics