Enterprise Information Security Risk Self-assessment Model

Information technology is an important force to promote economic development, it can help enterprises' growth, support business expansion and innovation.As enterprises continue to deepen infomationization in our country, traditional business rely on information systems more and more , followed by the IT infrastructure is becoming increasingly large and complex, at the same time,the increasingly serious situation and a wide range of network threats to enterprise's information management and information security have brought new challenges, which increase the risk of the enterprise, information security management are becoming a major topic in the informationization process.Information security problem can not simply be solved by technology and information security is a management issue essentially, risk management is core of information security and risk assessment is foundation and the premise of risk management. Dynamic security situation, changing business and information systems require enterprises often carry out risk assessment, just as the audit, self-assessment should be a basic risk control method in the enterprises. The models and methods used by risk assessment are very professional and rely on excessively experts' experience now, so it is very complex and subjective, which cannot be used well by enterprises. Therefore, how to build a scientific, simple, effective self-assessment model and the model-based processes and methods has become an urgent subject we must face and deal with.The evaluation and measurement system of asset, threat and vulnerability is the key to construct information security risk self-assessment model, and it is currently the most difficult and subjective to assess threat, which is also the focus of this article. On the basis of the studying and analyzing of related methods of information security risk assessment, the present assessment models proposed by some scholars, according to business needs of self-assessment, the author gains statistical data through expert interview and questionnaire survey and is going to refines four essential elements as evaluation standards for the likelihood of a threat to information system by using the method of factor analysis, the four elements are motivation, power, frequency and attraction of the asset; By analyzing the value of information assets to enterprises, with related standards and achievements as references, this paper proposes an evaluation method of information assets value from the seven aspects of business impact; By analyzing the relationship between vulnerability and safeguard, this paper proposes to take three essential attributes of information system (i.e. confidentiality, integrity, availability) based on current safeguards as evaluation standards for severity of a vulnerability; Then this paper constructs quantitative measurement structure of threat and vulnerability respectively in a way of analytic hierarchy process, after that ,on the basis of and relation of three basic elements , this paper proposes the enterprise information security risk self-assessment model.According to the self-assessment model and related methods, this paper also examines the models through a practical case study.This paper gives values and the achievements of the study in the last chapter, it also points out the deficiencies of this study and the direction in the future research.