| As an important step of construction of information security management system, risk assessment has been put into a critical position. The research on standard, method and model concerning risk assessment has become a hot point. In the existent risk analysis and computation model of information security, the total risk value of information system are often the sum risk value of each single asset, while risk value of single asset is the result of mutiplying the possibility by loss that security event of single asset occurs with less consideration of mutual influence between security events of different information assets. In a enterprise where information technology is heavily depended on, what management care is the risk value of essential assets and business system.This paper puts forward risk analysing model of business system which based on assessment path with consideration of the event of the other assets. In order to describe relation between assets, ATA(Accident Tree Analysis) has been applied and different weights has been assigned to different branches according to the importance of different branches. In the use of methods of FAT, Algorithm ,based on method of string processing, has been designed to get the smallest cutset and then to get structure importance of bottom events. The design of risk assessment tool follows the steps which are defined by Information Security Risk Assessment Standard and modules such as assessment of asset, threat, vulnerability and risk analysis are designed. The algorithm which mentioned above is encapsulated in the module of risk analysis. To get risk value accurately, the formula of risk computation was redesigned with composition of three types of risk value concerning security events of confidence, integrity and availability. |
PDF Full Text Request