Loopholes Analysis Of Information Security Risk Assessment And Improvement Of Evaluation Method

Today, information security becomes increasingly a concern for the industry, risk assessment information security management as an important link in the protection of enterprises and institutions based information system security plays a very important role. However, at present China's information security risk assessment work has just started the specific assessment methods, index system support software, and so is very imperfect or the lack of realistic operational. This paper is very important in the risk assessment of the parts: technical vulnerability and its corresponding threat assessment, a new and good workable approach.This paper studies "Chongqing municipal departments of information security risk assessment" project (contract number: 200612002) based on risk assessment and analysis of the loopholes in relations made in-depth studies.there are two key factors in Information Security Risk Assessment: "the extent of vulnerability" and the "threat of frequency," but the current method of calculating this mostly qualitative, simple to "high", "China" and "low" general, it is difficult to calculate the value of risk ; the assessment criteria are given, or too rough on the assessment of personnel dependent on the level of experience and too much different evaluators on the same subject may be a far cry from the assessment results; or need data in practical work difficult to obtain, operability is not strong.In this paper, concrete analysis of the loopholes in the "severity of the vulnerability" and "threat frequency" on the basis of the relationship, put forward the "severity of the vulnerability" and "threat frequency" new assignment method. At the same time, raised the risk assessment process improvements, summed up the analysis of the loopholes in specific processes. Through the use of new assignment method is to a certain extent changed the previous risk assessment assignment to depend too much on stage experience, of the assessment results are too subjective, and so do not have a strong operational shortcomings.Finally, the simulation experiments, using specific examples once again show that the vulnerability analysis and risk assessment, and certification of the new assignment method is effective.