跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 徐昊宇
Hao-Yu Syu
論文名稱: 結合FAIR與NIST資安框架分析資安風險:以醫療產業為例
指導教授: 蔣偉寧
口試委員:
學位類別: 碩士
Master
系所名稱: 工學院 - 土木工程學系
Department of Civil Engineering
論文出版年: 2021
畢業學年度: 109
語文別: 中文
論文頁數: 106
中文關鍵詞: 資安風險資安保險保費計算資料外洩FAIRNIST
外文關鍵詞: cyber security, cyber insurance, assessment of premium, data breach, FAIR, NIST
相關次數: 點閱:18下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著網路的蓬勃發展,各國之資安風險逐年上升,因此保險產業也積極在資安領域發展保險市場,但台灣之保險產業至今於該領域發展仍有限,原因在於對資安風險之歸類與衡量了解不足。事實上即便在資安保險起步較早的美國,保險業者也並未對於自身之風險評估模型抱持足夠信心,台灣有類似狀況自然也不足為奇。

    本研究將先彙整與介紹各種資安風險事件之分類、頻率、途徑、損失狀況、嚴重性分級等,並以現實或假想案例具體重現情境,不僅可供保險公司設計產品及擬定保費時參考,也可被投保企業做為研擬資安對策時的依據。之後則講解Jack Freund與Jack Jones發展之FAIR(factor analysis of information risk)模型,以及NIST(National Institute of Standards and Technology)之資安框架,再根據論文前半部提及的資料擬定FAIR之參數,並結合NIST之資安框架,以醫療機構為例評估其資料外洩時的風險大小,最後再進一步模擬保險公司以風險值求取保費的過程,以供其參照。

    研究結果呈現了以醫療產業為例的分析成果,且由於業務性質的相似性,我們可預期本研究的風險評估流程也可套用於許多其他類型的投保企業。此外,各產業遭遇不同資安事件時的損失型態差異也已列表整理,不論是投保企業或保險公司,皆可以此為基礎調整營運方針。

    With the vigorous development of the cyber activity, the cyber risks of various countries have increased yearly. Therefore, the insurance industry is also actively developing the insurance market in the cyber security field. However, in Taiwan, the development of insurance industry in this field is still limited due to insufficient understanding of classification and measurement of cyber risks. In fact, even in the United States, where cyber insurance started early, insurers did not have enough confidence in their own risk assessment model. It is not surprising that Taiwan is in such a predicament.

    This research will first summarize and introduce the classification, frequency, approach, loss status, severity classification, etc. of various cyber risk events, and use real or hypothetical cases to specifically reproduce the situation, which can not only be used as a reference for insurance enterprises when designing products and drawing up premiums, but also be used by the insured enterprises as a basis for the research and development of cyber security policies. After that, this research will explain FAIR (Factor Analysis of Information Risk) model developed by Jack Freund and Jack Jones, and NIST (National Institute of Standards and Technology) cyber security framework, then draw up the parameters in FAIR based on the information mentioned in the first half of the paper, and combined with NIST cyber security framework, several medical institutions are used as examples to evaluate the risk of data breach, and finally the process of insurers obtaining premiums based on risk value is further simulated for their reference.

    The research results show the consequences of the analysis taking medical industry as example, and due to the similarity of business, we can expect that the process of risk assessment in this research can also be applied to many other types of insured industries. Besides, types of losses experienced by diverse industries in various cyber incidents have also been tabulated. That can be used by insureds or insurers as a basis to adjust operating policies.

    第一章 緒論 1 1.1 研究動機、目的與內容 1 1.2 投保者分類 3 1.2.1 依產業類型歸類 3 1.2.2 依產業規模歸類 4 第二章 資安損失類型 6 2.1 資料外洩 6 2.1.1 資料類型與外洩量嚴重性 6 2.1.2 外洩事件紀錄 7 2.1.3 資料外洩頻率與資料量 8 2.1.4 駭客經濟 9 2.1.5 資料外洩之通報機制 10 2.1.6 資料外洩之細部統計 14 2.1.7 資料外洩的損失 16 2.1.8 資料外洩事件之分區 17 2.1.9 資料外洩案例 18 2.2 資訊勒索 19 2.2.1 曾出現的勒索軟體 20 2.2.2 資訊勒索的嚴重性 21 2.2.3 資訊勒索紀錄 22 2.2.4 資訊勒索細部統計 23 2.2.4 資訊勒索案例 25 2.3 拒絕服務攻擊 26 2.3.1 拒絕服務攻擊類型 26 2.3.2 流量拒絕服務攻擊強度 27 2.3.3 拒絕服務攻擊造成之網路中斷嚴重性 27 2.3.4 拒絕服務攻擊之細部統計 28 2.3.5 拒絕服務攻擊案例 29 2.4 多層次破壞 30 2.4.1 資訊縱火 31 2.4.2 公用事業失效 35 2.4.3 雲端服務失效 41 2.4.3 拒絕運輸攻擊 45 2.5 資金傳輸系統遭攻破 47 第三章 研究方法與工具 50 3.1 FAIR 51 3.1.1名詞解釋 51 3.1.2 損失類型 55 3.1.3 威脅社群與側寫 56 3.1.4 實作流程 57 3.1.5 注意事項 60 3.2 依經驗與FAIR手冊建議界定數值 61 3.2.1 PoA與Diff 61 3.2.2 CF與TCap 61 3.2.3 應變成本參數設置 62 3.2.4 名譽與法務損失所佔收益比 62 3.3 NIST之資安框架,供投保企業自評Diff值 63 3.4 FAIR之運算軟體介紹 68 3.4.1 Open Group之運算用XML檔 68 3.4.2 台灣風險管理公司之FAIR運算軟體 70 3.4.3 蒙地卡羅法 74 第四章 研究結果 75 4.1 各產業遭遇各種資安事件時之損失型態可能性 75 4.1.1 遭遇資料外洩與資訊勒索事件時之損失型態可能性 75 4.1.2 遭遇拒絕服務攻擊事件時之損失型態可能性 77 4.1.3 遭遇多層次破壞事件 79 4.2 醫院各項損失之幅度 80 4.3 醫院以NIST資安框架自評結果換算得之Diff值 82 4.4 輸入FAIR軟體獲得風險值 83 4.4.1 Open Group提供之XML檔輸出結果 83 4.4.2 台灣風險管理公司之軟體輸出結果 85 4.5 由軟體輸出結果估算保費 87 第五章 結論與建議 88 5.1 結論 88 5.2 建議 89

    2017 Cyber Risk Landscape, p.12, Risk Management Solutions, Inc.

    https://tw.appledaily.com/international/20210508/Q2FQQ6KCWRHX5KDRH23BZQHF6A/

    https://udn.com/news/story/6811/5450840

    2017 Cyber Risk Landscape, p.20, Risk Management Solutions, Inc.

    https://ec.ltn.com.tw/article/paper/1444465

    A Guide to Cyber Risk, p.4, Allianz Global Corporate & Specialty

    A Guide to Cyber Risk, p.7, Allianz Global Corporate & Specialty

    Cyber Risk Outlook, Risk Management Solutions, Inc., p.31

    A Guide to Cyber Risk, p.5, Allianz Global Corporate & Specialty

    Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones, ”Content analysis of cyber insurance policies: how do carriers price cyber risk?”, Journal of Cybersecurity, Vol. 5, No. 1, p.2, RAND Corporation, 2019

    https://www.cna.com.tw/news/afe/201909140070.aspx

    Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones, ”Content analysis of cyber insurance policies: how do carriers price cyber risk?”, Journal of Cybersecurity, Vol. 5, No. 1, p.13, RAND Corporation, 2019

    https://qualitestgroup.com/insights/white-paper/data-breach-patterns-across-industries-and-time

    https://www.hipaajournal.com/healthcare-data-breach-statistics/

    https://www.taiwannews.com.tw/ch/news/2364722

    https://news.ltn.com.tw/news/life/breakingnews/2550469

    https://www.ithome.com.tw/news/144606

    Managing Cyber Insurance Accumulation Risk, p.18, Risk Management Solutions, Inc.

    Managing Cyber Insurance Accumulation Risk, p.14, Risk Management Solutions, Inc.

    https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=J0140003

    https://www.nhi.gov.tw/DL.aspx?sitessn=292&u=LzAwMS9VcGxvYWQvMjkyL3JlbGZpbGUvMC8xNDU5NTkv5o%2bQ5aCxMTA45bm06LKh5YuZ5aCx5ZGK6Yar6Zmi6Yar55mC5pyN5YuZ55Sz5aCx5oOF5b2iLeWFqOeQg%2bizh%2bioiue2suS4iue2si5vZHM%3d&n=5o%2bQ5aCxMTA45bm06LKh5YuZ5aCx5ZGK6Yar6Zmi6Yar55mC5pyN5YuZ55Sz5aCx5oOF5b2iLeWFqOeQg%2bizh%2bioiue2suS4iue2si5vZHM%3d&ico%20=.ods

    Managing Cyber Insurance Accumulation Risk, p.25, Risk Management Solutions, Inc.

    Managing Cyber Insurance Accumulation Risk, p.26, Risk Management Solutions, Inc.

    Managing Cyber Insurance Accumulation Risk, p.27, Risk Management Solutions, Inc.

    Benjamin Edwards, Steven Hofmeyr and Stephanie Forrest, ” Hype and heavy tails: A closer look at data breaches”, Journal of Cybersecurity, Vol. 2, No. 1, RAND Corporation, 2016

    Managing Cyber Insurance Accumulation Risk, p.30, Risk Management Solutions, Inc.

    Guidelines 01/2021 on Examples regarding Data Breach Notification, European Data Protection Board

    2021 Data Breach Investigations Report (DBIR), Verison
    https://www.ithome.com.tw/news/105160

    Managing Cyber Insurance Accumulation Risk, p.52~ p.58, Risk Management Solutions, Inc.

    The state of ransomware 2020, Sophos

    https://www.ithome.com.tw/news/143958

    https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/

    Managing Cyber Insurance Accumulation Risk, p.33~p.37, Risk Management Solutions, Inc.

    Quarterly DDoS Attack Report, Radware

    https://www.f5.com/labs/articles/threat-intelligence/ddos-attack-trends-for-2020

    https://www.eweek.com/security/sony-data-breach-was-camouflaged-by-anonymous-ddos-attack/

    https://www.pcmag.com/archive/playstation-hack-to-cost-sony-171m-quake-costs-far-higher-264796

    https://www.ithome.com.tw/node/68865

    https://arstechnica.com/gadgets/2011/07/how-charlie-miller-discovered-the-apple-battery-hackhow-a-security-researcher-discovered-the-apple-battery-hack/

    https://gizmodo.com/new-hack-can-trick-power-bricks-into-starting-fires-1844441247

    https://zh.wikipedia.org/wiki/%E9%9C%87%E7%BD%91

    https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html

    https://ithelp.ithome.com.tw/articles/10186904

    https://en.wikipedia.org/wiki/Operation_Chastise
    https://en.wikipedia.org/wiki/Hwacheon_Dam

    https://en.wikipedia.org/wiki/Attack_on_the_Sui-ho_Dam

    https://www.itsfun.com.tw/%E7%9F%B3%E5%A2%A8%E7%82%B8%E5%BD%88/wiki-7655216-7562195

    https://www.techbang.com/posts/42951-ukraines-power-system-has-been-hit-by-phishing-and-discussions-about-how-to-strengthen-security

    https://www.ithome.com.tw/news/114880

    https://www.ithome.com.tw/news/142702

    https://www.ithome.com.tw/news/142729

    https://www.ithome.com.tw/news/138971

    https://www.ithome.com.tw/news/144276

    Managing Cyber Insurance Accumulation Risk, p.40~ p.43, Risk Management Solutions, Inc.

    https://blog.trendmicro.com.tw/?p=55029

    https://nos.nl/artikel/2343025-nederlandse-onderzoekers-manipuleren-verkeerslichten-met-virtuele-fietsers

    https://www.hk01.com/%E4%B8%AD%E5%9C%8B/34570/%E8%B6%8A%E5%8D%97%E6%A9%9F%E5%A0%B4%E7%96%91%E9%81%AD%E8%8F%AF%E9%BB%91%E5%AE%A2%E5%85%A5%E4%BE%B5-%E8%88%AA%E7%8F%AD%E8%B3%87%E6%96%99%E8%AE%8A-%E5%8D%97%E6%B5%B7%E6%98%AF%E4%B8%AD%E5%9C%8B%E7%9A%84?fbclid=IwAR3VzEaslA73NXA7x-V_3ghIodql8iE3W2wTjFTRV8fawlEkAlfu_FTvOBo

    https://www.zdnet.com/article/iran-reports-failed-cyber-attack-on-strait-of-hormuz-port/

    https://news.ltn.com.tw/news/world/breakingnews/3618540

    http://www.tssdnews.com.tw/index.php?FID=9&CID=571695

    Managing Cyber Insurance Accumulation Risk, p.46~ p.48, Risk Management Solutions, Inc.

    Managing Cyber Insurance Accumulation Risk, p.49, Risk Management Solutions, Inc.

    https://www.opengroup.org/forum/security-forum-0/openFAIRandquantitativerisk

    QR CODE
    :::