| With the development of information technology, many information systems are built in many businesses. More and more operations are dealt through information systems. That makes our work and life convenient.However, there are also many troubles. The complication of information systems, the threats to the systems and users'unconcern lead to many security accidents in information systems, and cause great loss and impacts to the organizations. And now, the managers, the users of the information systems are paying more attention to the information security.The importance of the information systems, the open of the computer network, and the vulnerabilities of the information systems'components, bring many risks. Those are the fundamental reasons of information security problems.Considering the cost-benefit, and the developing of information technology, the goal we set of information security is to reduce or decrease the risks to acceptable level by some measures. To decide what measurements we should take, we must know what risks the systems are facing to, and what degrees the risks are. In other words, we must do risk evaluation.The research and implement of risk evaluations have been done for years. There are many efforts on evaluation procedure, evaluation method and tools. But the systematical, theoretical or practical achievements are few, there are still many fields need to study.The paper begins from the procedures of risk evaluation, and discusses some key problems of risk evaluation. First, the general theories and methods of risk analyses are described, including the applications to economics, engineering, natural disaster, social stability, and so on. The risk evaluation may refer these theories and methods. But it is also necessary to associate the speciality of risks in information systems.The risk evaluation relates to many factors, such as person, environment, business policy, law and culture, asset, the value of asset, threat, vulnerability, risk, remain risk, security event, security requirement, security measurement, security level, and etc. These factors and their relationship must be considered. In chapter 3, it focuses on the topic.The procedures of information system risk evaluation are determined by the relations of the factors mentioned in chapter 3. In chapter 4, the procedures are discussed, including identifying business requirement and security target, identifying resources and their deployment, risk analyses, qualitative and quantitative risk evaluation, educing the security requirement and educing the security measurement requirements. Every step has many works to do.With the resources deployment analyses based on the information flow, and assets', management's and person's vulnerability analyses, the paper puts out a risk distribution analysis method to locate the risks.By analyzing the relation of security event and risk, the paper gives the information systems'risk evaluation indexes based on the components of security event. Then the risk quantative evaluation is computed by fuzzy synthetical method. The other methods are also proposed in chapter 6.The paper then discusses the thought of educing the security requirement to reduce the residual risks and reach the security level.With the study mentioned above, a tool is designed. The main frame of the tool is introduced at the end of the paper.
|
PDF Full Text Request