| The traditional security protective measures which are afterwards, passive and single are unfit for the development of information system security, thus information security management methods is required to protect the information system. If the risk management is understood as a process of "suit the remedy to the case", then the risk assessment is the process of "symptomatic-oriented", it provides an important basis of decision making for risk management. Therefore, the study on the risk assessment methods is of great significance. This paper focuses on the following points:1. This paper first introduces the concept of risk assessment and the situation of the risk assessment of information security home and abroad, elaborates the development course, and points out the problems in China's risk assessment field; then introduces several major categories of risk assessment methods in detail and summarizes the advantages and disadvantages of these methods, which laid a foundation for the orientation of the study in this paper; thirdly, introduces again the guidelines of risk assessment home and abroad; finally, introduces the forms of risk assessment, implementation processes and evaluation approaches.2. According to the characteristics of information system, evaluating information system at different levels reduces the difficulty of the implementation of risk assessment. In order to reduce the impact of subjective factors in judges, non-defined Analytic Hierarchy Process (AHP) and the combination method of fuzzy and comprehensive judges are applied to make risk assessment calculations for information system, using interval number as a substitute of the certain value to judge the relative importance between the two factors, and the concept of entropy weight is introduced to reflect the intense extent of the competition of risk factors, and interval value is used as a form to reflect the risk conditions of information system. The result of examples has showed that the method can be more objective, true and accurate to evaluate the risk conditions of information system.3. The risks can not be completely eliminated by the risk management process, but can be only reduced to an acceptable range. The current risk assessment methods are mostly static ones, which are unable to adapt to the dynamic nature of the occurrence of the risk. In this paper, a real-time risk assessment method based on IDS warning message is advanced, a real-time risk assessment model is established, a quantitative method of the membership that the assess factor to the state in the model is put forward, the reliability distribution of each assess factor to the risk state is calculated by introducing evidences and theories, and Dempster rule is applied to organize the reliability distribution of assess factors, in this way, the risk hierarchy status of various assets are acquired.The proposition of the real-time risk assessment method can not replace static method of risk assessment, they plays different roles in the different stages of to risk management, thus a combination of static methods and real-time methods can provide better decision-making basis for the risk management and create a more secure information system environment. |
PDF Full Text Request