Research And Practice Of Risk Quantification Model Based On Information Security Risk Assessment Guide

As China continues to speed up its process of Informationalization from every aspect, the national economy and social development become increasingly reliant on the fundamental information networks and critical information systems. Consequently the issue of information security begins to draw more and more attention from IT professionals. As an essential part of Information Security Management, Information Risk Assessment takes a very important role in securing the safety and security of fundamental information systems. However, the Information Security Risk Assessment in China is only in its early stage of development with no valid models or tools readily available in this area. This problem is properly addressed in this paper with a set of implementable Information Security Risk Assessment Quantification Models developed with reference to the national draft-the Information Security Risk Assessment Guide issued in 2005.Major progresses of this paper are as follows:1. The design of Risk Integration Value Computing Subsystem Model. The Risk Computing Model provided by the national draft is relatively broad in scope and difficult to apply in practice. A Risk Integration Value Computing Model is brought forward in the paper. At present, domestic risk evaluation methods are mostly qualitative. By contrast in the proposed model many of the factors are analyzed by quantitative methods, so the result is more convincing and more intuitive in this dissertation.2. Presentation of a Risk Event Likelihood Computing Method based on Fuzzy Comprehensive Evaluation (FCE) model. A Risk Event Likelihood Computeing Method is proposed in this paper by combining Threat likelihood, asset vulnerability and existing safety precautions and using the Fuzzy Comprehensive Evaluation (FCE) method.3. The study of Risk Impact Quantitative analysis method based on comparison judgment matrix. A Risk Impact Quantitative Analysis method is developed in this paper by selecting proper impact item according to different class or function of the assessed organization and forming a set of impact valuation criteria.4. The Design and Implementation of the Risk Assessment System Software. A Risk Assessment System software is designed in this paper using software engineering...