In recent years, information systems in telecommunication enterprises have been characterised by boundary expansion and increase of departmental-level applications. These changes increase the complexity of security evaluation and pose new challenges to enterprises' information security. Taking into account the behaviour characters of system users, we put forward a system security evaluation approach based on access paths. This approach can help evaluators and users find out potential security risks without figuring out the boundary of systems explicitly. It has no special requirements for system scale and can be used in the evaluation of enterprise-level and departmental-level systems. This paper also presents the formal definition of access path and related evaluation rules.

• 出版日期2008
• 单位北京邮电大学