Study And Application Of Propagation-Based Information Security Risk Assessment

The information security problem is not only based on the technology any more, but also it is becoming a global problem which is concerning with nation security. It's extremely urgent facing to the world that how to make a judgment on whether the info system can reach the security needs or how to enhance the management scientifically on the information.The risk assessment helps to make those goals come true. The safety requirements can be generalized during the procedure of risk assessment, the risk of information will be more understandable and the resources and efforts will be put on those most risky information assets. The question is how to assess the risk more scientifically.Here this article is researching the main theories on risk assessment of info security, frameworks, processing procedures, regular methods on evaluating, and the related security standards. According the research, there is a deficiency in risk evaluation on current existing theories of info security, which is the risk propagation, which has not been considered as a important element in those theories.This article will introduce an improved method for risk evaluation based on propagation, which considered both the risk initiated by the asset and the risk expanded from the other assets. The result will be much closer to the facts. Meanwhile considering the variety affection on confidentiality,integrity,availability of the assets made by the risk, the new improving formula used"judgment matrix"to identify the different weighting function of threats and vulnerability relate to the destructive level on confidentiality,integrity,availability of assets.At the last part, the improved method will be applied on a real project appraisal. The main target of this project is to establish the info security system based on ISO27001. During the construction, risk evaluation is an important segment which ensure whether can gather the resource on the most risky assets. There is the better result with quantification evaluation by the new formula used the on risk assessment, which reflected the level of info security controlling on asset of organization more objectively.