Study On Information Security Risk Metrics Based On Bussiness Process

With the gradual development of the information security research, some prominent and important issues for every information security control include:1) How about the protection strength is?2) How to evaluate influence on business applications?3) How to accurately measure the effect?An information security risk(ISR) metrics method based on business process is proposed, in order to try to solve two following problems in the ISR assessment field.(1) How to establish an information security risk metrics way by which the protection effect on business may directly be calculated to some degree.In this paper, the protection effect on business is focused on business process turnover time which is the important index of business goals with showing the service capability provided by the underpinning information system in time and effectively.(2) How to effectively exploit the ISR assessment result to choose security policies in an appropriate security degree.This paper mainly includes:(1) Recursive analysis on vulnerability exploited successfully by potential attackerWhether the occurrence of information security risk or not depends on threat's exploitation of vulnerabilities. The following problems should be discussed for the complicated relationship between threat and vulnerability.a,The possible paths of a given threat agent exercising a potential vulnerability should be calculated by use of the network topology;b,The process and result of a threat's exercise of vulnerability are researched recursively with introducing two concepts of component controllable degree and available degree.(2) Impact on business process caused by a threat's utilization of vulnerabilityThe threat's successful utilization of vulnerability could cause the running state change of the threat target (that is, an IT asset, as called the node of the threat path).The basic unit of business process is a business activity. The running states of a business activity connected with on the running state of the node constitute a finite state machine.In this article, the calculation of impact on business caused by a threat's successful utilization of vulnerability is transferred into the research on the relationship between the states of nodes and the states of business activities, by means of establishing states of a node relation with the finite state machine of a business activity.(3) Risk calculation based on business processInformation security purpose is to ensure safe and effective operation of the business for which the business process turnover time is an important performance index of the business handling capacity. Hence, the business process turnover time is regarded as a metrics base of the risk influence.The state change of business activity is the critical factor which causes the change of the business process turnover time. With establishing the relation between the node states and the finite state machine of business activity, the ISA calculation eventually is converted to solve the change of the process turnover time.(4) Security policy decision model based on risk metricsA formal security policy decision model is established for the single business process by regarding the measurement result of the proposed ISA metrics method as decision standard for security policy. Within a given residual risk value, the minimum number of security policies required could be calculated.(5) Evaluation Method for information security evaluationHow to evaluate the suitability for the current security requirements while to be confronted with numerous information security evaluation methods and modes? Five factors of evaluation standard, business concern degree, metrics base, evaluation result and procedure assurance are considered as evaluation indices for the information security evaluation method.