AMBRA At Information Systems Security In The Application Of Risk Assessment

The information security management is complicated system engineering, and the information security risk assessment, which is the foundation and premise of the inform ation security, plays an important role in this system engineering. Based on the general risk analysis architecture AMBRA(Architectural framework for Model-Based Risk Analysis), this paper will research on the model of security risk analysis of information system. In security risk analysis of information system, based on the viewpoints of different stakeholders, we will focus our model on the assets, risks, threats and vulnerabilities of the system.This paper builds on the generally accepted view that risk analysis during development and operation of systems facilitates security, safety, robustness and cost effectiveness. In a special domain, or according to the request of the system, AMBRA emphasizes that much of the risk analysis terminology is common even if it is used on different domains, arranging for interoperability between domains since a methodology intended for one domain may have the ability to use parts of methodologies or tools from other domains. AMBRA is an architectural framework for Model-Based Risk Analysis. It's based upon an existing risk analysis methodology called CORAS and IEEE-1471'Recommended Practice for architectural descriptions of software-intensive systems'. The framework will contain a terminology inspired by both risk analysis and architectural description based on models, and its notion of system and overall terminology is very general and carries over to most domains. AMBRA also believe a well described target system is important in risk analysis, helping the participants to understand the system, especially when dealing with the abstract nature of information system on security.Based on the terms of the AMBRA, this paper analyses the security elements and their relationship of an information system. The security risk analysis procedure of an information system is presented. Then based on the viewpoints of different stakeholders, considering assets, risks, threats and vulnerabilities of the system, an information security risk analysis model is obtained. This model provides a simple, practical and effective analysis model for the information security analysis. According to this model, the results of security analysis can be used to support the decision for the decision-maker.