應用威脅模型方法於產品開發設計之探討—以Z公司專案為例;Applying Threat Modeling Method in New Product Development and Design: A Case Study of Z Company

NCUIR > School of Management at National Central University > Executive Master of Information Management > Electronic Thesis & Dissertation > Item 987654321/86536

Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/86536

Title:	應用威脅模型方法於產品開發設計之探討—以Z公司專案為例;Applying Threat Modeling Method in New Product Development and Design: A Case Study of Z Company
Authors:	喬聖英;Chiao, Sheng-Ying
Contributors:	資訊管理學系在職專班
Keywords:	資訊安全;威脅模型;專案管理;通用弱點評鑑系統;Information Security;Threat Modeling;Project Management;CVSS
Date:	2021-07-14
Issue Date:	2021-12-07 12:56:59 (UTC+8)
Publisher:	國立中央大學
Abstract:	資訊安全的重要性近年來有飛快上升的趨勢，更有甚者喊出資安就是國安的口號，而資訊安全產業的產值規模成長率，也是同步大幅上揚。物聯網、人工智慧以及工業4.0等等的持續高度發展，更是促進了資訊產業及網路生態的多元組合，但也同時為資訊安全的威脅埋下了更多未知潛在的可能風險。過去在資訊安全的研究方面，多是著重在軟體應用程式或網路相關領域，諸多資安防護技術也是集中在這些領域之上，仔細探究其中的幾項研究理論可以發現，在這些防護的背後，有許多加諸於外的防護技術，但針對其產品或服務本身，並未做到有效的自我強化，因而才衍伸出後來微軟主導的安全開發生命週期，強調安全的本質應該由軟體本身的開發做起，這也啟蒙了本研究是否能夠將其理論導入在硬體設計方面，安全的本質，硬體開發也應該為資訊安全領域貢獻一份心力，有更安全的硬體，亦能同時為使用者或企業帶來更安心的使用情境。本論文結合安全開發生命週期中的威脅模型，以及專案管理中的風險管理理論，嘗試導入於產品開發的過程之中，藉由通用弱點評鑑系統的評分依據作為專案風險的參考指標，實際應用於個案公司的專案開發流程之中，也成功的識別出34項威脅，於專案開發初期就能夠將產品設計本身所可能產生的資安缺陷加以找出，供專案團隊進行後續討論其優先順序，同時參考威脅模型中的STRIDE分類原則，將各項威脅風險予以分類，並且擬定對應的解決方案及緩解計畫，應用理論與模型觀念進一步地將這些學理與實務層面進行結合。關鍵詞：資訊安全、威脅模型、專案管理、通用弱點評鑑系統 ;The importance of information security has been rising rapidly in recent years, making information security almost equivalent to national security. The overall output value of information security industry has also grown substantially. The continuous development of Internet of Things, Artificial Intelligence, and Industry 4.0 has also promoted the diversified combinations of the information industry and network ecology, but it has also planted more unknown and potential risks for the threats to information security. In the past, research on information security mostly focused on software applications or network-related issues. Many information protection technologies are also concentrated on these issues. A careful study of several research theories can reveal that behind these protections are largely external protections, but rare are provided by the products or services themselves. Later, extended security development life cycle led by Microsoft emphasizes that the essence of security should come from the software itself. This also enlightens this research whether such a theory could be introduced into hardware design. Security issues should not be limited to just software but also be implemented within product hardware so as to enhance the overall security level of the product when using. This thesis combined Threat Modeling in Security Development Life Cycle and the Risk Management theory in Project Management, and introduced them into the product development process, with Common Vulnerability Scoring System (CVSS) as the reference for assessing project risk. Applying this threat modeling in the project development process successfully identified 34 threats in the early phases of project development. Identifying these threats and organizing their solutions accordingly can help project teams prioritize following up actions and evaluate their effectiveness. Utilizing STRIDE classification principle in the threat modeling to classify the threats with risk assessments and provide corresponding solutions and mitigation plans help resolve the important practical information security problem with academic theories and concepts. Keywords: Information Security, Threat Modeling, Project Management, CVSS
Appears in Collections:	[Executive Master of Information Management] Electronic Thesis & Dissertation

Files in This Item:

File	Description	Size	Format
index.html		0Kb	HTML	166	View/Open

社群 sharing

Loading...