  • 章秀,刘宝旭,龚晓锐,于冬松,赵蓓蓓,刘媛.建立渗透测试型人才能力评估的综合评价模型[J].信息安全学报,2024,9(6):172-207    [点击复制]
  • ZHANG Xiu,LIU Baoxu,GONG Xiaorui,YU Dongsong,ZHAO Beibei,LIU Yuan.Establishing a Comprehensive Evaluation Model for the Competency Assessment of Pentesting Cybersecurity Talents[J].Journal of Cyber Security,2024,9(6):172-207   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭


过刊浏览    高级检索

本文已被:浏览 253次   下载 116 本文二维码信息
章秀1,2, 刘宝旭1,2, 龚晓锐1,2, 于冬松1,2, 赵蓓蓓1,2, 刘媛1,2
(1.中国科学院信息工程研究所 北京 中国 100093;2.中国科学院大学网络空间安全学院 北京 中国 100049)
关键词:  渗透测试型人才  综合评价模型  德尔菲法  层次分析法  熵权法  组合赋权法  模糊综合评价法
Establishing a Comprehensive Evaluation Model for the Competency Assessment of Pentesting Cybersecurity Talents
ZHANG Xiu1,2, LIU Baoxu1,2, GONG Xiaorui1,2, YU Dongsong1,2, ZHAO Beibei1,2, LIU Yuan1,2
(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China)
The cultivation and selection of talents are indispensable for a “ruler” to measure them. Taking the CVSS as an example, an evaluation model with high operability can not just be an abstract model of thinking. Furthermore, there are six essential elements: criterion, weight, a method to map the criterion with a corresponding numerical value, computational formula, score, and rating. Prior models lack those elements to varying degrees. Therefore, in the form of multiple rounds of questionnaire surveys, this paper uses several qualitative and quantitative evaluation methods to establish a comprehensive evaluation model with the above six essential elements for the competency assessment of pentesting cybersecurity talents, named CEMoPT. First, we summarized the criterion structure and definition by combining literature review with the Delphi method. Then, we applied the analytic hierarchy process, the entropy weight method, and the combination weighting method to obtain the weight of the criteria. Next, we designed a method of labeling tasks based on the membership matrix to map the criterion with a corresponding numerical value. Finally, the score and rating were calculated by taking advantage of the computational formula in the fuzzy comprehensive evaluation method. We designed an online questionnaire, recruited 72 subject matter experts, conducted reviews on the six essential elements of the CEMoPT in turn, and strictly followed the constraints of stability measure and consensus measure, and experienced a maximum of 4 rounds of iterations. Specific to CEMoPT, the criteria make up of 5 basic metric groups and 18 criterion items. The weight is a combination weight, which is a compromise between the subject weight and the object weight. The membership matrix is the core of the mathematical formula. Based on the score, the rating is divided into 5 levels, i.e., novice, apprentice, journeyman, expert, and master. The reliability of CEMoPT was verified by conducting a comparative experiment. To ensure the validity of CEMoPT, the research process strictly followed many constraints required by scientific methods.
Key words:  pentesting cybersecurity talents  comprehensive evaluation model  the Delphi method  analytic hierarchy process  entropy weight method  combination weighting method  fuzzy comprehensive evaluation