| As China continues to speed up its penetration into the application of informationalization, more and more main business in every areas become increasingly reliant on the information systems to be implemented. Information risk assessment and the basis and prerequisite for its information systems security engineering draw more and more people's attention, because it largely protect the security of fundamental information systems. However, the Information Security Risk Assessment in China is only in its initial stage without formal analysis and description. So far we can not analyze and describe the risk-related factors accurately, and this must bring great bias to the results of the assessment. But also we lack the abstraction and inductive methods of risk-related elements, at present, there is no effective models of risk quantification readily available in this area. At the same time, the assessment results are not intuitive.To solve this problem, this paper studies the security standard published in 2006, "Information Security Risk Assessment Guide".Through learning its process of assessment and calculation methods, a detailed analysis of the elements about information security risk assessment is executed. Combined with fuzzy theory and AHP, a Quantitative model of quantify information security risk assessment is proposed. Take advantage of this model can provide a more accurate calculation of the information systems risks, and can provide objective basis of increasing the level of information security.First a in-depth analysis about the status of information security risk assessment home and abroad is carried out, and the classification study for international and domestic standards relevant risk assessment is executed. It also studies the method and implementation process of risk assessment system. After that, the risk calculation model is macroscopic and is not a very strong sexual characteristics in "Information Security Risk Assessment Guide". Through hierarchical decomposition of the evaluation system, the system involved in the quantitative analysis of the various elements, and propose the risk calculation model of the overall framework. Then gives the presentation of a risk event likelihood computing model based on fuzzy comprehensive evaluation. and uses analytic hierarchy process, through building a comparison judgment matrix to calculate the risk impact. At last, the quantification model of information security risk assessment was applied to a actual system to verify its feasibility. |
PDF Full Text Request