The Research Of Fuzzy-ANC Based Information Security Risk Assessment Method

With the rapid development of the information age, the research fields of science and technology is not confined to the land, sea and air inertia world, but the virtual space has become an important part of the field of scientific research. At the same time, it cannot be ignored that information security issues being on the agenda. Identify the nature and degree of harm in information systems risks by information security risk assessment, develop targeted solutions, appropriate control objectives and control implementation and avoid the risk or minimize the risk. Therefore, the information security risk assessment has occupied a pivotal position in the modern era.This paper’s work focus on information security risk assessment process and the main work is as follows:1. Domestic and international information security risk assessment standards have been researched in detail. Standards usually conclude assessment objectives and direction but do not elaborate on the details of the assessment methods and the conclusions are vaguer. Comparison with several information security risk assessment methods shows that some uncertainties of the assessment still remain. To control these uncertainties is of great significance for effective risk assessment. This paper is based on GB/T 20984 (Information Security Technology Risk Assessment Specification for Information Security) improving and optimizing the implementation of the risk assessment process. Fuzzy Logic principles are used to solve Language ambiguity problem of expert scoring in the assessment process.2. In the assessment process, asset, threat and vulnerability are inextricably linked and asset is the main role of threat and vulnerability. This paper takes asset as the starting point, gives the description of the definition of ANC and classifies the associated problems exist in the information security risk assessment to the asset associated issue. The accuracy of the assess results is further improved according to asset correlation analysis of the comprehensive risk.3. GB/T 20984 doesn’t distinguish between the two indicators of vulnerability severity and vulnerability of the degree of available clearly, which makes the size of risk faced by system exist deviation. Even if there is a serious vulnerability exists in the asset but the chance of vulnerability will be used is small or even zero, the influence of the system security risk will be small. So, strict distinguish between the two indicators of vulnerability severity and vulnerability of the degree of available is important to the effective assessment.4. From the above work, there will be an information security risk assessment model based on Fuzzy-ANC, and we describe the assessment process by formal language to lay the foundation for the realization of automated assessment and so on.5. Build information security risk assessment Knowledge database (RAKD) on the basis of Fuzzy-ANC information security risk assessment model. Use classic breadth-first algorithm Apriori to do frequent search of pretreatment data and get the knowledge items which frequency exceeds a predetermined threshold to prepare for the implementation of automated assessment.6. Develop the Fuzzy-ANC based information security risk assessment aided tool. Make the solution described in this paper easier operate to improve the efficiency of assessment based on the improvement of accuracy of the results.