| The theory and methods of information security risk assessment are developing into a booming era of hundred schools of thought contend. The EU-funded CORAS project is developing a framework for model-based risk assessment of security-critical systems, and this developed a new area for risk assessment studies. It is important to research the model-based CORAS method for developing a precise, unambiguous, and efficient risk analysis.This thesis relies on a risk assessment project of an enterprise in Chongqing, in which process the CORAS method are analyzed and performed. The main contents and contributions are in the following areas:Analysis of CORAS framework and process. The model-based risk assessment methods of CORAS framework makes the assessment work simple and intuitive, and the characteristics of the CORAS"seven steps"makes the risk assessment processnormalization and easy to understand and master; Application of CORAS method. The advantages of the model-based method and the evaluation standard of the national risk assessment draft are used together to improve the domestic applied research of CORAS method to meet the reality of domestic information construction and application, and also to make assessment results more accurate and authoritative;Algorithm and calculation tool development. Improve CORAS method to calculate more accurate, and establish hierarchical model to analyze the likelihood and consequence of risk. Quantify the risk of an integrated value calculation based on the AHP in the risk matrix to make the weight more detailed to compare, and develop a risk calculation tool to avoid error-prone issues of the large volume of data in risk assessment process;Application and practice. The CORAS method is applied to a financial network subsystem which is a critical subsystem, and the result is remarkable. This verified the feasibility and practicality of the research results in practice, and has reference value for the application of CORAS method. |
PDF Full Text Request