Study On Knowledge Based Risk Assessment For Information Security

The human society is undergoing a vast transformation from the industrial society to the information society.With the rapid development of information technology,more and more organizations have become increasingly depending on their information infrastructure for gaining competitive advantage,thus information technology plays an important role in most modern organizations.Today,since the business activities of organizations are more closely related to the information,and the accurate information is considered as a powerful tool on which companies rely for survival and powerful competence advantage,information security is vital.Hence,it is imperative that the information and information systems are kept secure and protected at all times for organizations.Information security is complicated system engineering,and the information security risk assessment,which is the foundation and premise of the information security,plays an important role in this system engineering.However,evaluating information risks is difficult.In the thesis,we aim to put forward a model of information security risk assessment based on knowledge and its theory framework,in addition,some problems associated with information security are discussed.The purpose of this paper is to contribute a new ideal for information security risk assessment.This paper is made up of three parts.The first part,including chapter 1 and chapter 2,introduces the reasons of this study.The second part,including chapter 3, chapter 4,chapter 5,and chapter 6,decribes the main contents of this study.In the third part,as the last chapter,a summary of the thesis is made,and the deficiency in the project and the further development are narrated respectively.The main innovative points of this dissertation describe as follows:Firstly,the essence of information security from the perspective of organization management is discussed,then information security risk is regarded as a knowledge gap between information security ability of organization management and information requirements.Based on this prerequisite,a holistic framework of information security risk assessment based on knowledge is proposed.Secondly,the expert judgment matrix using interval number is built for representing uncertainty in reality and fuzziness of expert experience.Considering the difficulty of acquiring the weight of interval number judgment matrix,a novel algorithm based on the optimization mechanism of immune evolution is used to calculate the weight vector.Thirdly,aiming at scientifically determining the problem "what are the critical information assets requiring protection",the technology of TOPSIS is introduced.The critical information assets are ranked according to importance using multi-criteria decision method.This approach provides the basis for evaluating information risk and making security strategies.Fourthly,fuzzy theory and group decision method are introduced to extend the method of DEMATEL,a new analysis method of information security risk factor is discussed.The proposed method can implement both qualitative and quantitative analysis and evaluation of information security risk factor.Therefore,the proposed method can provide the basis for making security strategies of information risk.