中国安全科学学报 ›› 2023, Vol. 33 ›› Issue (2): 38-47.doi: 10.16265/j.cnki.issn1003-3033.2023.02.0412

• 安全社会科学与安全管理 • 上一篇    下一篇

基于FTA-BN的云ERP不安全事件的人因失误分析

张冰鉴1,2,3(), 苏秦1,2,3, 刘海龙1,2,3   

  1. 1 西安交通大学 管理学院,陕西 西安 710049
    2 机械制造系统工程国家重点实验室,陕西 西安 710049
    3 过程控制与效率工程教育部重点实验室,陕西 西安 710049
  • 收稿日期:2022-09-20 修回日期:2022-12-10 出版日期:2023-02-28
  • 作者简介:

    张冰鉴 (1998—),女,安徽六安人,硕士研究生,研究方向为信息安全管理。E-mail:

    苏秦,教授

  • 基金资助:
    国家重点研发计划(2019YFB1704100)

Human error analysis for unsafe events of cloud ERP based on FTA-BN

ZHANG Bingjian1,2,3(), SU Qin1,2,3, LIU Hailong1,2,3   

  1. 1 School of Management, Xi'an Jiaotong University Xi'an Shaanxi 710049, China
    2 State Key Laboratory For Manufacturing System Engineering, Xi'an Shaanxi 710049, China
    3 Key Laboratory of Process Control & Efficiency Engineering, Xi'an Shaanxi 710049, China
  • Received:2022-09-20 Revised:2022-12-10 Published:2023-02-28

摘要:

为明确云企业资源计划(ERP)不安全事件的人因失误因素,构建基于故障树分析-贝叶斯网络(FTA-BN)的人因失误分析模型,以避免单一方法的局限性。首先,对云ERP安全审计记录披露的不安全事件进行分类和追因分析,构建云ERP不安全事件故障树,并定量分析最小割集、结构重要度;然后,将故障树映射为BN结构,利用案例数据进行结构学习和参数学习得到最终的贝叶斯网络;最后,依托贝叶斯网络的敏感性分析辨识关键人因失误因素,凭借预测推理计算发生不安全事件的概率。研究结果表明:云ERP安全人因失误因素中工作不到位、培训不足、资源分配不足、管理流程存在问题、职责不清等因素在对应的事件域中应得到重点关注,以保障持续安全。

关键词: 云企业资源计划(ERP), 人因失误, 不安全事件, 故障树分析(FTA), 贝叶斯网络(BN)

Abstract:

In order to figure out the human error factors of unsafe events of cloud ERP, a human error analysis model based on FTA-BN was constructed, which could avoid the limitations of a single method. Firstly, the unsafe events which were disclosed by security audit records of cloud ERP were classified and the causes of these events were analyzed, then the fault tree of unsafe events of cloud ERP was constructed. Moreover, the quantitative analysis of the minimum cut and structure importance were carried on according to the fault tree. Then the fault tree was mapped to BN structure. Based on case data, the final BN was obtained by structure learning and parameter learning. Furthermore, the probability of unsafe events was predicted by predictive reasoning and the critical human error factors were identified by sensitivity analysis. The results show that the key human error factors include inadequate work, insufficient training, insufficient resource, unclear responsibility and problems in the management process, so major efforts should be made on them to ensure sustainable security.

Key words: cloud enterprise resource planning(ERP), human error, unsafe events, fault tree analysis(FTA), Bayesian network(BN)