Research On Network Security Risk Assessment Based On Index System

With the popularity of the Internet as well as the application of computer, Network security issues affect our lives increasingly. Practice has proved that it is very important to identify computer network security risk in advance and network security risk assessment is a long-term work.In this paper, Standards, methods and tools on network security risk assessment both at home and abroad have been carried out deeply. Currently, the increase of the scale of network information system results in single risk assessment method cannot solve the conflict between timeliness and comprehensive. Based on comparison of static and dynamic risk assessment methods, a method which combines static and dynamic methods of risk assessment has been proposed. The concepts and processes of static assessment part of this method refer to the relevant provisions of National Institute of Standards"Information security technology-Risk assessment specification for information security".In order to hold the dynamic risk accurately, the author proposes a framework of dynamic risk assessment indicators based on the classification of security incidents. The framework meets the requirements of the combination of importance and comprehensive, the combination of stability of the structure and volatility of the content, the combination of quantitative and qualitative and the operability. The index system covers a wide range of organizations with a reasonable organization and easily expandable features, and it can contribute to the accuracy of network security risk assessment. The paper demonstrates the reasonableness of the index system from both the effectiveness and credibility of the indicators. A verification method has been discussed. After discussed the standardization of the indications, the author designed a dynamic risk computing model based on analytic hierarchy Process to apply to calculate the risk of network system. The model has a reasonable distribution of weight and the advantage of less computing.The final part of the paper designed and realized a risk calculation sub-system,which can be used as a indicator-verification tool. Sample analysis demonstrated the feasibility of the model, and presented how to verify a single indicator.