1. NCCU Academic Hub
  2. Publications
  3. College of Commerce
  4. Theses
  5. Item

Publications-Theses

Article View/Open

Publication Export

Google ScholarTM

NCCU Library

Citation Infomation

Related Publications in TAIR

題名 雲端服務風險評估模式建立之研究
A study on developing a cloud service risk assessment model
作者 羅邵晏
Lo, Shao Yen
貢獻者 林我聰
羅邵晏
Lo, Shao Yen
關鍵詞 雲端運算
雲端服務風險
風險評估
服務商評選
皮爾森相關
Cloud Computing
Cloud Service Risk,
Risk Assessment
Service Provider Selection
Pearson Correlation
日期 2012
上傳時間 1-Mar-2013 09:24:53 (UTC+8)
摘要 「雲端運算」(Cloud Computing)及其相關應用服務受到業界相當重視。同時各國政府也相繼推出國家型計劃發展雲端運算產業。然而許多文獻告訴我們,雲端運算在資訊安全議題上也需要被重視。在雲端運算架構下的資訊安全又與過去有些許不同,值得被提出來研究。歐洲網路與資訊安全機構(European Network and Information Security Agency, ENISA)在2009年已經提出一份雲端服務風險評估報告(CCSRA, Cloud Computing Security Risk Assessment),此份報告也被推出業界第一套雲端服務風險標準(CCSK, Certificate of Cloud Security Knowledge)的雲端安全聯盟(CSA, Cloud Security Alliance)所引用。這份評估報告已經相當完整定義各風險和其前因後果,但卻沒有完整的量化模式供組織進行量化評估、或預測整個雲端服務風險系統運作。因此本研究目的如下:1.建立一個量化模式,預測雲端服務風險相關風險,供企業主及早採取因應措施。2.以皮爾森相關係數法(Pearson Correlation Coefficient)分析各個風險、弱點、和資產間因果影響程度,讓組織在分配資源時作為參考。
“Cloud Computing” and its application services are considered important by industries. Governments have also launched plans to develop the cloud computing industry. However, the literature tells us that cloud computing security issues also need to be noticed. Security issues in the cloud computing architecture are different from those in traditional information system, so they are worth to be studied. In2009, European Network and Information Security Agency(ENISA) has announced a report named "Cloud Computing Security Risk Assessment", and this report was referenced by Cloud Security Alliance(CSA). The report is quite complete for the definition of each risk, its causes and effects. But there does not exist a complete quantitative model for the organization to assess or predict its cloud service risk. Therefore, the purposes of this study are as follows: 1. developing a cloud service risk assessment model to predict cloud service risks, 2. use Pearson Correlation Coefficient to analyze the impact between risks, vulnerabilities and assets for allocation of resources.
參考文獻 林育震(2010),『掌控風險 發揮雲端效益』,Communications of the CCISA,16卷4期,138~149頁
張春雄、林顯達、黃新宗、劉美芳(2003),『風險管理』,吉田出版社
陳瑞&周林毅(2007),『風險評估與決策管理』,五南圖書出版公司
黃清賢(2003),『危害分析與風險評估操作手冊』,新文京開發出版股份有限公司
蔡一郎(2010),『雲端運算與雲端服務風險架構』,Communications of the CCISA,16卷4期,84~93頁
賴世培、詹志禹(2011),『應用統計(全)』,中華電視股份有限公司
A.Avizienis, J.Laprie, B.Randell.(2000), ‘Fundamental concepts of dependability’, In Proceedings of the 3rd Information Survivability Workshop
A.Rosenthal, P.Mork, M.H.Li, J.Stanford, D.Koester, P.Reynolds(2010), ‘A new business paradigm for biomedical information sharing’, Journal of Biomedical Informatics(43:2), pp.324-353.
IBM(2009), ‘Red Book ─ Cloud Security Guidance ─ IBM Recommendations for the Implementation of Cloud Security’, IBM
C.S.Yoo(2011), ‘Cloud Computing: Architectural and Policy Implications’, Rev Ind Organ(38:4), pp.405-421.
CSA(2010), ‘Top Threats To Cloud Computing’, Cloud Security Alliance
ENISA(2009), ‘Cloud Computing Security Risk Assessment’, European Network and Information Security Agency
D.Zissis & D.Lekkas(2011), ‘Securing e-Government and e-Voting with an open cloud computing architecture’, Government Information Quarterly(28), pp.239-251.
European Parliament(1995), ‘Directive 95/46/EC of the European Parliament’, European Parliament
L.Iuga(2010), ‘The Analysis Of The Correlation Between The Level Of The Bank Fees For Cards And The Number Of Active Cards, Conducted With The Help Of The Pearson Coefficient’, Annales Universitatis Apulensis Series Oeconomica(12:1), pp.397-404.
L.Egghe, L.Leydesdorff(2009), ‘The Relation Between Pearson`s Correlation Coefficient r and Salton`s Cosine Measure." Journal Of The American Society For Information Science And Technology(60:5), pp.1027-1036.
L.M.Vaquero, L.Rodero-Merino, D.Morán(2011), ‘Locking the sky: a survey on IaaS cloud Security’ Computing(91:1), pp.93-118.
L.M.Vaquero, L.Rodero-Merino, J.Caceres, M.Lindner(2009), ‘A Break in the Clouds: Towards a Cloud Definition’, ACM SIGCOMM Computer Communication Review(39:1), 2009, pp.50-55.
N.Mayer, P.Heymans, R.Matulevičius(2007), ‘Design of a Modelling Language for Information System Security Risk Management’, Proceedings of the 1st International Conference on Research Challenges in Information Science(RCIS 2007), Ouarzazate, Morocco, April
NIST SAJACC and BUC Working Groups(2011), ‘NIST US Government Cloud Computing Technology Roadmap Volume III - Technical Considerations for USG Cloud Computer Deployment Decisions’, National Institute of Standards and Technology
OWASP Cloud Top Ten Project(2012), ‘Cloud Top 10 Security Risks", The Open Web Application Security Project
NIST(2011), ‘NIST Definition of Cloud Computing’, National Institute of Standard and Technology
G.Purdy(2010), ‘ISO 31000:2009—Setting a New Standard for Risk Management." Risk Analysis(30:6), pp.881-886
R.K.Chellappa & A.Gupta(2002), ‘Managing computing resources in active intranets’, International Journal Of Network Management(12:2), pp.117-128.
S.Paquette, P.T.Jaeger, S.C.Wilson(2010), ‘Identifying the security risks associated with governmental use of cloud computing’, Government Information Quarterly(27:3), pp.245-253.
T.Schoenherr(2009), ‘LOGISTICS AND SUPPLY CHAIN MANAGEMENT APPLICATIONS WITHIN A GLOBAL CONTEXT: AN OVERVIEW’, Journal of Business Logistics(30:2), pp.1-IVV.
Y.C.Stamatiou, E.Henriksen, M.S.Lund, E.Mantzouranis, M.Psarros, E.Skipenes, N.Stathiakis, K.Stølen(2002), ‘Experiences from using model-based risk assessment to evaluate the security of a telemedicine application’, Proceedings of Telemedicine in Care Delivery(TICD)
L.O.Yusuf, O.Folorunso, A.Akinwale,I.A.Adejumobi(2011), ‘Visualizing and Assessing a Compositional Approach to Service-Oriented Business Process Design Using Unified Modelling Language(UML) ‘, Computer and Information Science(4:3), pp.43-59.
描述 碩士
國立政治大學
資訊管理研究所
98356027
101
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0983560271
資料類型 thesis
dc.contributor.advisor 林我聰zh_TW
dc.contributor.author (Authors) 羅邵晏zh_TW
dc.contributor.author (Authors) Lo, Shao Yenen_US
dc.creator (作者) 羅邵晏zh_TW
dc.creator (作者) Lo, Shao Yenen_US
dc.date (日期) 2012en_US
dc.date.accessioned 1-Mar-2013 09:24:53 (UTC+8)-
dc.date.available 1-Mar-2013 09:24:53 (UTC+8)-
dc.date.issued (上傳時間) 1-Mar-2013 09:24:53 (UTC+8)-
dc.identifier (Other Identifiers) G0983560271en_US
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/57045-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊管理研究所zh_TW
dc.description (描述) 98356027zh_TW
dc.description (描述) 101zh_TW
dc.description.abstract (摘要) 「雲端運算」(Cloud Computing)及其相關應用服務受到業界相當重視。同時各國政府也相繼推出國家型計劃發展雲端運算產業。然而許多文獻告訴我們,雲端運算在資訊安全議題上也需要被重視。在雲端運算架構下的資訊安全又與過去有些許不同,值得被提出來研究。歐洲網路與資訊安全機構(European Network and Information Security Agency, ENISA)在2009年已經提出一份雲端服務風險評估報告(CCSRA, Cloud Computing Security Risk Assessment),此份報告也被推出業界第一套雲端服務風險標準(CCSK, Certificate of Cloud Security Knowledge)的雲端安全聯盟(CSA, Cloud Security Alliance)所引用。這份評估報告已經相當完整定義各風險和其前因後果,但卻沒有完整的量化模式供組織進行量化評估、或預測整個雲端服務風險系統運作。因此本研究目的如下:1.建立一個量化模式,預測雲端服務風險相關風險,供企業主及早採取因應措施。2.以皮爾森相關係數法(Pearson Correlation Coefficient)分析各個風險、弱點、和資產間因果影響程度,讓組織在分配資源時作為參考。zh_TW
dc.description.abstract (摘要) “Cloud Computing” and its application services are considered important by industries. Governments have also launched plans to develop the cloud computing industry. However, the literature tells us that cloud computing security issues also need to be noticed. Security issues in the cloud computing architecture are different from those in traditional information system, so they are worth to be studied. In2009, European Network and Information Security Agency(ENISA) has announced a report named "Cloud Computing Security Risk Assessment", and this report was referenced by Cloud Security Alliance(CSA). The report is quite complete for the definition of each risk, its causes and effects. But there does not exist a complete quantitative model for the organization to assess or predict its cloud service risk. Therefore, the purposes of this study are as follows: 1. developing a cloud service risk assessment model to predict cloud service risks, 2. use Pearson Correlation Coefficient to analyze the impact between risks, vulnerabilities and assets for allocation of resources.en_US
dc.description.tableofcontents 致謝 1
摘要 2
Abstract 3
目錄 4
圖目錄 6
表目錄 7


一、緒論
1.1研究背景 8
1.2研究動機 9
1.3研究目的 9


二、文獻探討
2.1雲端服務模式 10
2.1.1雲端運算的定義 10
2.1.2雲端運算的服務模式 10
2.2風險管理之概念與程序 12
2.2.1風險管理的定義 12
2.2.2風險管理的步驟 13
2.3資訊安全風險管理概念與目標 14
2.3.1風險管理概念 14
2.3.2受保護資產應該符合的準則 16
2.4雲端服務風險 17
2.4.1雲端服務風險 17
2.4.2雲端服務高等級風險 18


三、研究方法
3.1研究流程 26
3.2研究限制及預設推論 27
3.3研究問卷設計 27
3.4風險評估模式建立方法 29
3.4.1皮爾森相關 30
3.4.2研究模式圖 31

四、風險評估模式建立
4.1尋找弱點、風險、資產 32
4.2基本資料分析 37
4.3模式建立 37
4.4本模式與OWASP模式比較 44
4.4.1比較組廠商排名之計算 44
4.4.2實驗組與比較組廠商排名比較 46
4.5模式應用 50
4.6管理意涵探討 55

五、結論與未來研究方向
5.1結論 58
5.2未來研究方向 58

參考文獻 60
附錄(問卷) 62		zh_TW
dc.language.iso en_US-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0983560271en_US
dc.subject (關鍵詞) 雲端運算zh_TW
dc.subject (關鍵詞) 雲端服務風險zh_TW
dc.subject (關鍵詞) 風險評估zh_TW
dc.subject (關鍵詞) 服務商評選zh_TW
dc.subject (關鍵詞) 皮爾森相關zh_TW
dc.subject (關鍵詞) Cloud Computingen_US
dc.subject (關鍵詞) Cloud Service Risk,en_US
dc.subject (關鍵詞) Risk Assessmenten_US
dc.subject (關鍵詞) Service Provider Selectionen_US
dc.subject (關鍵詞) Pearson Correlationen_US
dc.title (題名) 雲端服務風險評估模式建立之研究zh_TW
dc.title (題名) A study on developing a cloud service risk assessment modelen_US
dc.type (資料類型) thesisen
dc.relation.reference (參考文獻) 林育震(2010),『掌控風險 發揮雲端效益』,Communications of the CCISA,16卷4期,138~149頁
張春雄、林顯達、黃新宗、劉美芳(2003),『風險管理』,吉田出版社
陳瑞&周林毅(2007),『風險評估與決策管理』,五南圖書出版公司
黃清賢(2003),『危害分析與風險評估操作手冊』,新文京開發出版股份有限公司
蔡一郎(2010),『雲端運算與雲端服務風險架構』,Communications of the CCISA,16卷4期,84~93頁
賴世培、詹志禹(2011),『應用統計(全)』,中華電視股份有限公司
A.Avizienis, J.Laprie, B.Randell.(2000), ‘Fundamental concepts of dependability’, In Proceedings of the 3rd Information Survivability Workshop
A.Rosenthal, P.Mork, M.H.Li, J.Stanford, D.Koester, P.Reynolds(2010), ‘A new business paradigm for biomedical information sharing’, Journal of Biomedical Informatics(43:2), pp.324-353.
IBM(2009), ‘Red Book ─ Cloud Security Guidance ─ IBM Recommendations for the Implementation of Cloud Security’, IBM
C.S.Yoo(2011), ‘Cloud Computing: Architectural and Policy Implications’, Rev Ind Organ(38:4), pp.405-421.
CSA(2010), ‘Top Threats To Cloud Computing’, Cloud Security Alliance
ENISA(2009), ‘Cloud Computing Security Risk Assessment’, European Network and Information Security Agency
D.Zissis & D.Lekkas(2011), ‘Securing e-Government and e-Voting with an open cloud computing architecture’, Government Information Quarterly(28), pp.239-251.
European Parliament(1995), ‘Directive 95/46/EC of the European Parliament’, European Parliament
L.Iuga(2010), ‘The Analysis Of The Correlation Between The Level Of The Bank Fees For Cards And The Number Of Active Cards, Conducted With The Help Of The Pearson Coefficient’, Annales Universitatis Apulensis Series Oeconomica(12:1), pp.397-404.
L.Egghe, L.Leydesdorff(2009), ‘The Relation Between Pearson`s Correlation Coefficient r and Salton`s Cosine Measure." Journal Of The American Society For Information Science And Technology(60:5), pp.1027-1036.
L.M.Vaquero, L.Rodero-Merino, D.Morán(2011), ‘Locking the sky: a survey on IaaS cloud Security’ Computing(91:1), pp.93-118.
L.M.Vaquero, L.Rodero-Merino, J.Caceres, M.Lindner(2009), ‘A Break in the Clouds: Towards a Cloud Definition’, ACM SIGCOMM Computer Communication Review(39:1), 2009, pp.50-55.
N.Mayer, P.Heymans, R.Matulevičius(2007), ‘Design of a Modelling Language for Information System Security Risk Management’, Proceedings of the 1st International Conference on Research Challenges in Information Science(RCIS 2007), Ouarzazate, Morocco, April
NIST SAJACC and BUC Working Groups(2011), ‘NIST US Government Cloud Computing Technology Roadmap Volume III - Technical Considerations for USG Cloud Computer Deployment Decisions’, National Institute of Standards and Technology
OWASP Cloud Top Ten Project(2012), ‘Cloud Top 10 Security Risks", The Open Web Application Security Project
NIST(2011), ‘NIST Definition of Cloud Computing’, National Institute of Standard and Technology
G.Purdy(2010), ‘ISO 31000:2009—Setting a New Standard for Risk Management." Risk Analysis(30:6), pp.881-886
R.K.Chellappa & A.Gupta(2002), ‘Managing computing resources in active intranets’, International Journal Of Network Management(12:2), pp.117-128.
S.Paquette, P.T.Jaeger, S.C.Wilson(2010), ‘Identifying the security risks associated with governmental use of cloud computing’, Government Information Quarterly(27:3), pp.245-253.
T.Schoenherr(2009), ‘LOGISTICS AND SUPPLY CHAIN MANAGEMENT APPLICATIONS WITHIN A GLOBAL CONTEXT: AN OVERVIEW’, Journal of Business Logistics(30:2), pp.1-IVV.
Y.C.Stamatiou, E.Henriksen, M.S.Lund, E.Mantzouranis, M.Psarros, E.Skipenes, N.Stathiakis, K.Stølen(2002), ‘Experiences from using model-based risk assessment to evaluate the security of a telemedicine application’, Proceedings of Telemedicine in Care Delivery(TICD)
L.O.Yusuf, O.Folorunso, A.Akinwale,I.A.Adejumobi(2011), ‘Visualizing and Assessing a Compositional Approach to Service-Oriented Business Process Design Using Unified Modelling Language(UML) ‘, Computer and Information Science(4:3), pp.43-59.		zh_TW