The Research And Application Of Information Security Risk Assessment Model

With the rapid development of information technology, the national economy depends on the information more and more. The information security issue tends to be seriously. Attention must be paid and enough solution be thought. The essence of the information security management is the management of risk because security and risk can never be separated. There is neither absolute security nor absolute risk. The so-called security information system is to reduce the risk to a certain degree gradually through adopting the best policy of management of risk. Risk assessment is the first step in approaching risk management, and it is an important means for ensuring information secure too. Its function has been recognized widely.What information security risk assessment does is, according to relational evaluating standards, the procedure of evaluating the vulnerability and the threat of information asset, along with the negative impact and the likelihood of harmful things. For the risk of information security, the vulnerability and the threat would be the reason, while the impact and the possibility would be the result.Based on international standards about information security, a model of information security risk assessment is presented. Its kernel is risk management. Founded on this model, the risk assessing methods have been discussed in details. These methods were put into practice and verified in a real risk assessment project. Following works contained in this thesis.Firstly, in accordance with the demand of information security, the concept, the working mode, and the development of information security risk assessment both in China and abroad are introduced. Popular evaluation standards in the fields of management, technology, and engineering are also recommended. All of these provide the theoretical foundation for building risk assessment model.Secondly, based on the relationship of critical elements such as asset, vulnerability, threat, security policy and risk, the model of information security risk assessment is given. And the PDCA method that guiding each phase in evaluating procedure is also discussed.Thirdly, based on the presented model, the detailed evaluating method and computing formula are innovated, which about information asset, the vulnerability and the threat. These are synthetic computing method and make the result of risk assessment more scientific.Finally, the risk evaluation model and the methods are put into use and validated in a real project. The model is optimized for utilizing security information database in real action.