| Information security risk assessment is an important tache for evaluation of information system security. With strengthening on information security risk assessment sector by our nation, the national standard will be enacted in the near future and all risk evaluation will be exercised with its guide. The research of application of famous risk framework worldwide with guidance of the national standard, especially application research of risk self-evaluation for small and medium organizations, are of significance for the widespread practice of information security risk assessment.Firstly this paper analyses and compares different methods and tools internally and aboard, focusing on the analysis of theory and technology of model-based information security risk assessment CORAS framework by E.U., and the conformance of CORAS framework to is studied and compared , which is basis for the application of CORAS framework by internal small and medium organizations; then, for subjectivity of risk computation in CORAS' application, the relations between risk factors threat, vulnerability and asset are generalized , and meta-risk , asset risk tree and other related concepts are set forth and defined , which are solutions for identifying granularity of risk computation and distinguishing influence level of risk on asset's importance, then based that a computation algorithm is designed; thirdly a risk assessment supportive tool e-CORAS is analyzed and implemented, the system modeling analysis and design is exemplified by the system package diagrams, class diagrams, use-case diagrams and sequence diagrams, and the detailed design of risk assessment algorithm is presented, also the system database design and implementation are presented for database general structure, structure model diagram and list structure; at last an example that illustrates the use of algorithm and tool is also presented. |
PDF Full Text Request