Research On The Evaluation Of Information System Security

As China continues to speed up its process of Informationalization from every aspect,the national economy and social development become increasingly reliant on the fundamental information networks and critical information systems.Consequently the issue of information security begins to draw more and more attention from IT professionals.As an essential part of Information Security Management,Information Risk Assessment takes a very important role in securing the safety and security of fundamental information systems.With the study of risk assessment,the point that the technology cannot bring the information system security totally is accepted.The problem relates to many parts such as rules,policy,standards,technology and so on. Its solution must take account of the view of the engineering,namely the information system safety engineering.Risk analysis and assessment get a big footing in this information system safety engineering;they are the base and precondition of information system security.This paper is made up of three parts:In first part,the paper introduces the methods and processes of information security risk evaluate and the common standard relates to it;In the second part,the writer evaluates the risk of a electrical power system by using the information security risk quantification assessment model based on assets,threats and weaknesses;In the third part,the writer cited risk management and investment in the field of financial risk VaR,CVaR model of information system of a power to conduct further study of risk assessment.These three parts relate each other closely and the information security risk quantification assessment model is researched deeply.The creativity of this paper about the method of information security risk evaluation lies in the following factor:The paper applies the Value at Risk(VaR) model and Conditional Value at Risk (CVaR) model,usually used in the finance risk analysis field,into information security risk assessment.At the same time,the threaten occurrence frequencies are simulated by Poisson distribution and normal distribution in this paper.Because Poisson distribution is hard to calculate when threaten occurs frequently,the paper use normal distribution simulates the threaten occurrence frequencies instead of Poisson distribution.So the tail risks are analyzed using CVaR method.The proposed model uses the real value to measure the loss of security risk,and the result can be used in the information security risk investments decision directly.