Study On The Quantification Model Of Business-Oriented Information Security Risk Assessment

With the development of national economy and the society, the dependence on the foundation information network and the important information system is bigger than before., the information security safeguard deserves more and more attentions form professional, but the risk assessment paly an important role on information security management, and also perform an important role for safeguarding the foundation information system of enterprise. And now the overseas information security risk assessment model and standard have many shortcomings such as the implementation price is very expensive, the appraisal cycle is long, so wants to be popularized in domestic is very difficult; the research on risk assessment in our country just started, lacks the system theory, method and perfect software tool, don't have the effective risk quantification model algorithm and strut software, have big dependence on scan tool and expert experiences, leads to the result lean to technology or the management, without unified.In order to solve this problem, this article takes the international draft"information security risk assessment guide", which written in 2005,as a background, refers to assessment flow and computation thought, to propose a set of information security risk assessment quantification model that has the feature of operational and business- oriented.The paper's main work is describing the each factor of system(information environment, information carrier and information ) through building description model of business-oriented with breaking down the evaluated system, and according to the system business flow ,quantification analysis it, unifies the information property value Quantity , to achieve all sorts of risk assessment. The System characteristic description model is the key to realization management and technical, which partially brought the system organization into the assessment, establish level model, unifies the management and technical plane, and take the reality attack as the data of threat statistics, and in the quantification assessment put the threaten and the vulnerability together, removed the irrelevant vulnerability and the threat to the risk value's misleading function, The work load greatly reduced, but assessment result more accurate, has easy to be operational and the versatility.