With the rapid development of information technology, information security has become an problem to be settled. As an important part of the information security management, risk evaluation is an important measure to realize the information system security and establish the reasonable security assurance measures.In this paper, based on the research and contrast of many methods of risk evaluation, An Analytic Hierarchy Process(AHP for short) combined with Fuzzy Comprehensive Evaluation(FCE for short) was presented. By analyzing the confidentiality, integrity, and availability of the assets, the hierarchy model of the assets was established to calculate the assets weights in AHP, which was a combination of qualitative and quantitative method to reduce the subjective factors on the impact of the evaluation results. For the risk of the assets, first, the probability and effect of the risks was analyzed, then the uncertainty presented during the evaluation was dealed with in FCE so that the risk level of each risk factor can be determined. Finally, the risk evaluation prototype was established. The method presented in this paper solve the problem of quantify in the risk assessment, and reduce the impact of subjectivity on the evaluation, thus enhance the accurately and validity on the risk evaluation results. |