Study On Information Security Risk Assessment Method Based On Two Stages Decision Model With Grey Synthetic Measure

To solve the fuzziness and uncertainty from manyaspects on information security risk assessment, this paper proposes the information security risk assessment approach based on two stages decision model with grey synthetic measure.Firstly, the procedure、method and standard of risk assessments are introduced; secondly, the assessment index system are established and their weights are calculated by means of the combination of Delphi method and the adjacent indexes comparison method, and the criteria of assessment grades are determined; at last, unity grey clustering coefficients or decision coefficients with synthetic measure are computed by grey clustering theory, the grey classes of information system risks are determined and information systems are squenced by risk values. Through case studies, this method solves many uncertainties of the evaluation factors, reduces the subjectivity of assessment process, and provides a new method for information security risk assessment.The main work and innovations are as follows:1. Proposing the method of optimizing indexes of information security risk assessment using information entropy theory.In the process of risk assessment, selection of indicators is particularly important, has a decisive influence on evaluation results. In this paper, combined with evaluation works, after studying theinstances of a large number of information security evaluations, put forwarding that the initial indicators are obtained by test data analysis, and then the evaluation indexes are optimized with information entropy.2. Proposing the method that comprehensively evaluates information security risk by two stages decision model with grey synthetic measure in the grey theory.It provides the detailed steps of the mathematical model. The results that the model obtains are still highly reliable even if the principal component of the vector is relatively close after the clustering when information system risk is evaluated by this model.3.Taking 4 information systems of government agencies as study cases. From two aspects of management and technology the information system risk assessment index system is built. Then the comprehensive risk assessment of the information system of 4 agencies was carried out with the theory, method and model proposed in this paper.