| With the continuous improvement of social informationization, computer network and information system have become the necessary impetus and tools in the social development and daily life. As a result, security issues in the information system have attracted more and more attention. However, information security issues are not only caused by technical weakness, but also involving many other aspects. This is why we need the management of information security risks to protect and maintain information systems. The premise and basis of it is risk assessment of information security.This paper focuses on the assessment of information security risk. Firstly, it introduces glossaries and the current status of risk assessment both inland and overseas, methodizes development, points out existing problems and details the products of risk assessment. Secondly, it analyses the relationship among key elements and process of risk assessment, presents several representative risk analysis methods, summaries the advantages and disadvantages of these methods and on this base Fuzzy Analytic Hierarchy Process (FAHP) is mainly studied. Thirdly, it also puts forward an idea that FAHP can be applied to risk assessment of information security, designs a practical framework to make qualitative risk analysis and quantitative risk analysis integrate better. In this framework it uses making inquisition and experts marking as a means to get information about assets, evaluates assets value, assets weakness and threaten that assets probably face and adopts triangular fuzzy numbers to make subjective factors in the assessment of information security risks objective and quantitative. Finally, it demonstrates the feasibility of the proposed model by a concrete instance of virtual medical organization. |
PDF Full Text Request