Research On Theory And Key Technologies Of Information System Risk Management

As the deeply development of information system, the national economic and social development are more and more depending on information system. The information system has been widely concerned about security issues. Research and Practice show that relying solely on security technology and products will not solve all the security problems of information system so that it is necessary to introduce risk management theory for system security solutions. Therefore, the research on risk management theory and key technologies of information system has a very important theoretical and practical value.In Chapter 1, the current achievements of research in information system risk evaluation and risk management, such as standards, methods, tools and security system both inland and overseas have been studied.In Chapter 2, the author provides a new and nearly completed information system risk management model TPISRM, which involves the stages of risk management budget and risk control. Furthermore, based on software development budget model COCOMO-II, a risk management budget model BBSMBM using Bayesian Belief Network theory is given to guide the process of efficient system risk management and to provide a reference to make the total finance budget for corporations. In experiments, Monte Carlo simulation method is used to compute the management budget.In Chapter 3, a detailed Probabilistic Risk Analysis process for information system risk assessment is given. In order to solve the uncertainty of the risk quantification, including the uncertainty and variety of probability and loss of risk, this chapter provides a Bayesian Probabilistic Risk Analysis model. The result of experiments shows that this method makes the risk management much more efficient.Chapter 4 focuses on the issues of decision making during the risk management. In TPISRM, there are many situations need to make decisions, such as ranking system risks and selecting security methods to deal with risks. The author provides fuzzy multiple attributes ranking model with integrated weight algorithm and new ranking method to give the risks preference. Besides, the author provides multiple attributes group decision model integrated with cost-benefit method, multi-dimensional security policy and group evaluation algorithm to select the optimal security strategy. The fuzzy multiple attributes group decision making methods improve the accuracy and effectiveness of system risk management.In Chapter 5, cognitive map theory is extended with modified relation operation rules and new reasoning methods. Based on this, a new automatic incident response model with causal map theory and cost-benefit method is proposed.Finally, the thesis summarizes author's work and forecasts the future work.In summary, the author has studied thoroughly issues on risk management of information system and provides a nearly completed management process with efficient theories and practical solution.The importance of this thesis is that research on the framework, process and key technologies of information system risk management integrates multidisciplinary approaches, such as information security, probability theory, fuzzy theory, decision theory, economics and cognitive reasoning. The multidisciplinary study not only widens the areas of research, but also lays solid theoretical foundations to enhance the accuracy and effectiveness of information system risk management, which has a great practical significance.