A Study Of Information Security Risk Control Sorting Method Based On SCP~2DR~2

With the era of technological innovation and the globalization process, the application of information technology has been gaining rapidly popularity and become the nerve center in many industries and sectors. Information industry has become an important driver of economic development. It has played an irreplaceable role in adjusting economic structure, transforming traditional industries and improving people's quality of life. However, with China's information industry and the rapid development of information technology, business environments become complicated and the competition become fierce, associated with risk, hacking increased, virus outbreak, even when the information disclosure occurred, which has become an important issue troubled enterprises and management personnel. The security of information directly influence to these enterprises and domain routine work. The reliability and completeness of information will be directly related to the company's survival and competitiveness. Therefore, in order to make better use of business information and make market competition in a favorable position, information technology must be considered in the risk of information security controls in further development.As for enterprises, different industries, different applications and even different departments of an enterprise, the requirements for information security are different. Information security is not "safe is better." Security risk management is based on different security needs in the maximum extent to protect information integrity, availability, confidentiality, at an acceptable cost range, identify and control risk. Only master information security risk identification, assessment, control methods, when enterprise can select the most effective response measures to ensure the safe use of information and enjoy the convenience and fast of information technology. Security problems are not because the technology falling behind its management deficiencies. So technology can not solve all the security issues, we still need effective management, technical, cultural, legal and other integrated elements of risk control. When enterprise face complicated threaten, how to select effective control measures to improve protection and support security is currently studied in depth and urgent issue.The main purpose of this thesis is to enable the enterprise superintendents to be more comprehensive, understood specifically the information security risk. According to the risk control sorting model, we can clearly understand the priority of various control measures and select the appropriate control measures to control the risks, reduce the risk of loss to the enterprise to effectively guarantee normal operation and improve the core competitiveness of enterprise management. Ultimately providing a powerful guarantee enables enterprises to achieve the desired strategic objectives.Framework of this study includes the following six main sections:The first part:Introduction. This part primarily focused on the research background and study significance, introduced domestic and overseas situation, proposed main framework of this thesis.The second part:Information security risk control theory. This section described the meaning and characteristics of information security including the meaning of security risk, characteristics and elements. Secondarily this part introduced the information security risk management system, which includes information security risk assessment method-fuzzy mathematics, information security risk identification. This part is the theoretical foundation for further research.The third part:Information security risk control system. This section focused on the process of information security, risk control. It also gave detailed explanation of every aspect including:mode and measure of information security risk control.The fourth part:Sorting of information security risk control measures. This section is the core part of the thesis which introduced security control P2DR model, SCP2DR2 model and gave a detail analysis of both models. The study classified the measures of risk control according to SCP2DR2 model for risk control and proposes sequence of control measures. Experts use a same type of risk control sorting on every kind of asset when facing the same threat. Then experts reuse assets on the control measures by the triangular fuzzy weights and the number of order theory, threat and vulnerability relationship, the impact of assets to calculate the weight of the threat. Ultimately get the process of information security risk control measures sequence.The fifth part:Ranking model application in the enterprise. This section selected the type of protection control measure, combined with business specific examples, interpreting the process of sorting information security risk control measures.The sixth part:Conclusion. This section is a summary part for the whole content. The thesis proposes the deficiency during the study and analysis for future research directions.