尊敬的参与者:
本问卷旨在对民航信息系统(Civil Aviation Information Systems, CAIS)风险评估中的24项初始指标 进行筛选与优化。问卷结果将用于后续正式指标体系的构建,并为风险评估模型的权重确定与模糊建模提供基础支持。24 initial indicators used in the risk assessment of Civil Aviation Information Systems (CAIS). The results will be used to construct the formal indicator system and support subsequent weighting and fuzzy risk modeling.
本研究仅用于学术研究,所有数据将匿名处理,不涉及任何个人身份识别。
预计填写时间约为 10–15 分钟 。
The estimated completion time is
10–15 minutes .
1. 请确认 Please confirm: 我已了解本研究目的,并同意参与本问卷 / I understand the purpose of this study and agree to participate
2. 您的岗位/职务是?What is your position or role? 信息系统运维 IT Operations 技术人员 Technical Staff 网络安全管理 Cybersecurity Management 安全监测/应急响应 Security Monitoring or Incident Response 风险评估/合规审计 Risk Assessment or Compliance Auditor 系统架构/技术支持 System Architect or Technical Support IT/网络安全服务供应商 IT/Security Service Provider 管理或决策层 Management or Decision-Maker 其他: ________
3. 您所在单位类型是?What type of organization do you work for? 机场 Airport 航空公司 Airline 空管单位 Air Traffic Control Organization 民航监管机构 Civil Aviation Authority IT或网络安全服务机构 IT or Cybersecurity Service Provider 其他 Other: ________
4. 您从事相关工作的年限为?How many years of relevant work experience do you have? 1年以下 Less than 1 year 1–3年 1–3 years 4–6年 4–6 years 7–10年 7–10 years 10年以上 more than 10 years
5. 您是否参与过以下工作?(可多选)Have you participated in the following activities? (Multiple choice) 网络安全监测 Cybersecurity Monitoring 风险评估 Risk Assessment 漏洞管理 Vulnerability Management 安全事件响应 Security Incident Response 系统运维 System Operations and Maintenance 合规审计 Compliance Audit 安全治理或制度建设 Security Governance or Policy Design 无 None
6. 您对民航信息系统网络安全风险的熟悉程度如何?How familiar are you with CAIS cybersecurity risks? 非常不熟悉 Very unfamiliar 不熟悉 Unfamiliar 一般 Neutral 熟悉 Familiar 非常熟悉 Very familiar
请根据您的专业经验,对以下 24 项初始指标进行评价。
每项指标均需从以下三个维度进行评分:
相关性(Relevance) :该指标与民航信息系统风险的关联程度Relevance : The extent to which this indicator is relevant to CAIS risk 可观测性(Observability) :该指标是否容易被识别、记录或测量Observability : The extent to which this indicator can be observed, identified, or measured 可操作性(Practicality) :该指标是否适合纳入正式风险评估模型Practicality : The extent to which this indicator is suitable for inclusion in the formal risk assessment model 请按 1–5 分进行评价,其中 1=非常低 / Very Low,5=非常高 / Very High。以下评分按“矩阵题”形式分模块呈现,分别对三个维度进行打分。Please rate on a scale of 1–5, where 1 = Very Low and 5 = Very High. The ratings below are presented in a matrix format, with scores given for each of the three dimensions.维度 / Dimension
模块1:威胁暴露类指标 / Module 1: Threat Exposure Indicators 7. 相关性 / Relevance
该指标与民航信息系统风险的关联程度 / The extent to which this indicator is relevant to CAIS risk。
T1 网络扫描与侦察 / Network Scanning and Reconnaissance
T2 拒绝服务与流量压力 / Denial-of-Service and Traffic Pressure
T3 未授权访问与凭证滥用 / Unauthorized Access and Credential Abuse
T4 恶意软件与僵尸网络活动 / Malware and Botnet Activity
T5 漏洞利用尝试强度 / Exploit Attempt Intensity
T6 攻击多样性与持续性 / Attack Diversity and Persistence
8. 可观测性 / Observability
该指标是否容易被识别、记录或测量 / The extent to which this indicator can be observed, identified, or measured。
T1 网络扫描与侦察 / Network Scanning and Reconnaissance
T2 拒绝服务与流量压力 / Denial-of-Service and Traffic Pressure
T3 未授权访问与凭证滥用 / Unauthorized Access and Credential Abuse
T4 恶意软件与僵尸网络活动 / Malware and Botnet Activity
T5 漏洞利用尝试强度 / Exploit Attempt Intensity
T6 攻击多样性与持续性 / Attack Diversity and Persistence
9. 可操作性 / Practicality
该指标是否适合纳入正式风险评估模型 / The extent to which this indicator is suitable for inclusion in the formal risk assessment model。
T1 网络扫描与侦察 / Network Scanning and Reconnaissance
T2 拒绝服务与流量压力 / Denial-of-Service and Traffic Pressure
T3 未授权访问与凭证滥用 / Unauthorized Access and Credential Abuse
T4 恶意软件与僵尸网络活动 / Malware and Botnet Activity
T5 漏洞利用尝试强度 / Exploit Attempt Intensity
T6 攻击多样性与持续性 / Attack Diversity and Persistence
模块2:脆弱性类指标 / Module 2: Vulnerability Indicators 10. 相关性 / Relevance
该指标与民航信息系统风险的关联程度 / The extent to which this indicator is relevant to CAIS risk。
V1 漏洞严重性基线 / Vulnerability Severity Baseline
V2 暴露服务的可利用性 / Exploitability of Exposed Services
V3 补丁与修复延迟 / Patch and Remediation Delay
V4 配置与加固薄弱性 / Configuration and Hardening Weakness
V5 身份与访问控制薄弱性 / Identity and Access Control Weakness
V6 监测与检测盲区 / Monitoring and Detection Blind Spots
11. 可观测性 / Observability
该指标是否容易被识别、记录或测量 / The extent to which this indicator can be observed, identified, or measured。
V1 漏洞严重性基线 / Vulnerability Severity Baseline
V2 暴露服务的可利用性 / Exploitability of Exposed Services
V3 补丁与修复延迟 / Patch and Remediation Delay
V4 配置与加固薄弱性 / Configuration and Hardening Weakness
V5 身份与访问控制薄弱性 / Identity and Access Control Weakness
V6 监测与检测盲区 / Monitoring and Detection Blind Spots
12. 可操作性 / Practicality
该指标是否适合纳入正式风险评估模型 / The extent to which this indicator is suitable for inclusion in the formal risk assessment model。
V1 漏洞严重性基线 / Vulnerability Severity Baseline
V2 暴露服务的可利用性 / Exploitability of Exposed Services
V3 补丁与修复延迟 / Patch and Remediation Delay
V4 配置与加固薄弱性 / Configuration and Hardening Weakness
V5 身份与访问控制薄弱性 / Identity and Access Control Weakness
V6 监测与检测盲区 / Monitoring and Detection Blind Spots
模块3:运行后果类指标 / Module 3: Operational Consequence Indicators 13. 相关性 / Relevance
该指标与民航信息系统风险的关联程度 / The extent to which this indicator is relevant to CAIS risk。
O1 子系统关键性 / Subsystem Criticality
O2 依赖传播潜力 / Dependency Propagation Potential
O3 业务连续性影响 / Business Continuity Impact
O4 数据与信息完整性影响 / Data and Information Integrity Impact
O5 服务可用性影响 / Service Availability Impact
O6 物理与环境支撑风险 / Physical and Environmental Support Risk
14. 可观测性 / Observability
该指标是否容易被识别、记录或测量 / The extent to which this indicator can be observed, identified, or measured。
O1 子系统关键性 / Subsystem Criticality
O2 依赖传播潜力 / Dependency Propagation Potential
O3 业务连续性影响 / Business Continuity Impact
O4 数据与信息完整性影响 / Data and Information Integrity Impact
O5 服务可用性影响 / Service Availability Impact
O6 物理与环境支撑风险 / Physical and Environmental Support Risk
15. 可操作性 / Practicality
该指标是否适合纳入正式风险评估模型 / The extent to which this indicator is suitable for inclusion in the formal risk assessment model。
O1 子系统关键性 / Subsystem Criticality
O2 依赖传播潜力 / Dependency Propagation Potential
O3 业务连续性影响 / Business Continuity Impact
O4 数据与信息完整性影响 / Data and Information Integrity Impact
O5 服务可用性影响 / Service Availability Impact
O6 物理与环境支撑风险 / Physical and Environmental Support Risk
模块4:合规与治理类指标 / Module 4: Compliance and Governance Indicators 16. 相关性 / Relevance
该指标与民航信息系统风险的关联程度 / The extent to which this indicator is relevant to CAIS risk。
O7 人员与流程失误暴露 / Human and Process Error Exposure
C1 监管合规重要性 / Regulatory Compliance Importance
C2 治理与政策成熟度 / Governance and Policy Maturity
C3 事件响应能力 / Incident Response Capability
C4 恢复与韧性能力 / Recovery and Resilience Capability
C5 安全意识与组织准备度 / Security Awareness and Organizational Readiness
17. 可观测性 / Observability
该指标是否容易被识别、记录或测量 / The extent to which this indicator can be observed, identified, or measured。
O7 人员与流程失误暴露 / Human and Process Error Exposure
C1 监管合规重要性 / Regulatory Compliance Importance
C2 治理与政策成熟度 / Governance and Policy Maturity
C3 事件响应能力 / Incident Response Capability
C4 恢复与韧性能力 / Recovery and Resilience Capability
C5 安全意识与组织准备度 / Security Awareness and Organizational Readiness
18. 可操作性 / Practicality
O7 人员与流程失误暴露 / Human and Process Error Exposure
C1 监管合规重要性 / Regulatory Compliance Importance
C2 治理与政策成熟度 / Governance and Policy Maturity
C3 事件响应能力 / Incident Response Capability
C4 恢复与韧性能力 / Recovery and Resilience Capability
C5 安全意识与组织准备度 / Security Awareness and Organizational Readiness
19. 在上述 24 项初始指标中,您认为哪些指标可以进一步合并?请说明原因。Among the 24 initial indicators above, which indicators do you think could be further merged? Please explain why。
20. 您认为是否有某些指标不适合作为正式风险评估指标?请说明原因。Do you think any indicators are unsuitable for inclusion in the formal risk assessment model? Please explain why。
21. 您认为是否存在尚未纳入的重要风险指标?请提出建议。Are there any important risk indicators missing from the current list? Please provide your suggestions。