| Information System Risk Assessment simply means that finding the risk, doing the qualitative or quantitative analysis and supply thereunder for the risk management.This text is in Attention to the system development phase, studied the System Security Engineering. It's noticeable here that the research in this paper pays attention to not only technical field, but to the dynamic and continuous management activities of the system security risk from a point of view of engineerin. In addition, since both the theory of risk management and the system security engineering is just kinds of frames that don't provide the relative methods to carry out them in details. According to the characteristics of the system security problem, this paper introduced the fuzzy evaluation method to measure the security risk that a system has, and established a model of fuzzy.To solve this problem,we organize our assure framework on the basis of SSE-CMM.However,in order to construct a more perfect assurance framework,we must solve three main problems found when applying SSE-CMM.1. The methods applied in risk evaluation lacks a uniform standerd.2. In the SSE-CMM, there is no method to quantify the assurance level.3. The evidence product produced in SSE-CMM lacks a logical framework.To solve the above three problems, first, in this paper we conducted a risk analysis and security assurances Metric Research. We put forword risk analysis model in the the system development phase with the Application of the fuzzy comprehensive evaluation method .Finally,a structure for assurance arguments as a logical way is offered to communicate the information used in making security decisions.And we put forword FCME model ,We also use case analysis. |
PDF Full Text Request