Research On Information Security Risk Management, Evaluation And Control

With the development of information application, information system has become the foundation of most organization. It is significant to promote information security management for information assurance of national critical fundamental facilities and important information system. Information security has become the national security problem. Information risk management is one of the front subjects in information security fields. And that the research on information risk management, evaluation and control will have an important significance for the information security risk management theory.This dissertation explained the relevant theories in such several respects as risk, risk management,risk management generic process, risk evaluation theory, information securiy risk and management, risk probability theory and internal control theory.And then information security risk was divided into tewelve risk regions.Moreover it provided reference for the next research.Base on the relevant theory of information securiy risk management, a new mission-oriented information security risk constitution was defined according to the analysis of information security risk constitution of three international standands.It included five risk elements such as threat, vulnerability, impact, security control and risk. And that we analyzed the fator of in- and ex- information risk influences and completely probed into the formation mechanism of information security risk. In this dissertation, from the viewpoints of whole organization system, organization mission completion, organization detection and organization culture, an improved information security risk management process is presented by analyzing and comparing with some current information security risk management processes, which include risk planning, risk evaluation, risk control and risk audit. Moreover it was the leading content of this dissertation.Information security risk evaluation is the foundation and the precondition of information security risk management of organization. The risk evaluation was separated into two parts including risk analysis and risk estimate.In the risk analysis part, the assets, threats, vulnerabities and impacts were deeply evaluated in such several respects as concept, characteristic, classification and measure. In the risk estimate part, the risk quantititative formula was presented, the rank of risk based on the possibility of uncertain events and the degree of adverse impacts.This dissertation took the method of information security risk evaluation as important content. In the risk evaluation of information security, it's very difficult to confirm the probablility of risk events and estimate exactly and directly the severity of adverse impacts after the risk happended with only collecting and counting data because lots of risk factors are very fuzzy. So in this dissertation, by analyzing and comparing with five current risk evaluation methods such as the analytic hierarchy process, fuzzy evaluation method, causality map method, bayesian belief networks method and fault tree analytic method, a fuzzy dynamic causality map method was introduced and be applied to practice. This method combined fuzzy theory with causality map method, and defined the probability of risk events as fuzzy value, treat difficult quantitative through fuzzy arithmetic and get exact descriptive risk according to causality map consequence.Moreover, a multi-hierarchy and multi-attribute index system of information security risk evaluation was developed. The fundamental concepts we have adopted include the analytic hierarchy process (AHP) and D-S Evidence theory. The AHP method is used to assess the preference rating of index. Through the D-S evidence uncertain reasoning method, we obtain the final score using the information fusion of different experts. At last, comprehensive fuzzy evaluation method was introduced to evaluate information security risk and be applied to practice.In this dissertation, deeply and systematically analyzed the meaning, principles, strategies and mechanism of information security risk control. And that analyzed information security control mechanism such as technology control, manage control, people control and culture control. At last, put forward the information life-cycle security control and information security interaction-layer control.Finally, the countermeasures on information security risk, basic conclusions and next research problems.