Research On Risk Quantification Model Of Information System Security And Realization Of Risk Evaluation System

Based on the national information security technology standards related Information Security Risk Evaluation is a process in which a information system is evaluated in science method and then opinion on specific security measure can be given to the organization.A organzation would not make a exact judgement about its information security condition without a exact and timely risk evaluation. However,in our country the challenge that risk evaluation faces is no more current theories, ways and technical criterions than a evaluation way's maneuverability and validity. Guided by the national draft—the Information Security Risk Assessment Guide issued in 2005, this paper gives a set of implementable Information Security Risk Evaluation Quantification Models with reference to GB17859-1999, the management-control ideas of BS7799, GAO/AIMD-99-139 and NIST SP800-30 and the literature 6 which expatiates on how to calculate a threat possibility.Major progresses of this paper are as follows:1. Management-Control Risk Quantification Model. The pith of the model is to creat the guide line system and the computing system for management-control risk evaluation.The paper presents ten evaluation items and more specific evaluation goals under each item from such three control aspect as technology, persons and operation.As a result the management-control risk degree and the organization's management-control vulnerability can be presented in terms of the evaluators' analysis and evaluation.2. Threat Class Risk Computing Model. Integrating factors which affect a threat's possiblity the paper designs the model in allusion to a external threat's making use of vulnerability based on analysis and calculation of the data from IDS event log and the degree that a threat utilizes a vulnerability.3. Risk Integration Value Computing Subsystem Model. Risk Integration Value would be obtained combining the internal management-control risk analysis with the external threat risk computing and from the risk matrix determined by the management-control risk and the threat risk.4. Asset Value Computing Subsystem Model based on comparison judgement matrix. The subsystem obtains assets data from the organization with questionnaire following that a evaluation group analyses risk impact and...