| Security assessment of information system can accelerate the construction of information assurance architecture and improve systemic protection,it develops from only concentrating on technology to accenting on both technology and management,from host or network evaluation to assessment of information system,from assessment with one attribute to many attributes.Now,it is carried a step further.This paper focuses on risk assessment of information system.First,it discriminates between glossaries,methodizes developments of risk assessment,summ -arizes correlative methods and models,points out existing problems and trend of risk assessment.Second,aiming at dealing with penetrating test result,it brings forth metrics of risk based on components. In combination with computer forensics and models of privilege escalation,it explores fuzzy metrics of vulnerability and other risk factors and promotes synthetic analyzing model of risk based on threat components.Thirdly,it designs framework of risk assessment software and realizes some algorithm.The software may provide risk level and rank of testing objects through analysis of risk on penetrating test result.At last,it verifies the algorithm with actual experimental data,compares reliability between methods and summarizes advantages, faults and places need to be improved. |
PDF Full Text Request