Research On Risk Quantification Method Of Information Security

In real life, any organizations or individuals are faced with information security risks, however, it is impossible to fundamentally avoid information security risk relying simply on technical means. A scientific and effective quantification method of information security risk could make the decision-makers have a strengthened intuitive understanding of probability and loss caused by risks, so as to guide information security construction more correctly and effectively. According to the basic theory of risk assessment:Risk (R)= probability (P) loss (L), in this paper, the probability of risks and the loss caused by risk materialization in this formula are studied separately.Firstly, the paper starts from the view of probability distribution of information security incidents, regarding the frequency of information security incidents as a discrete random variable, and infer that the frequency follows Poisson distribution through statistics. The inference result is verified by using data of National Internet Emergency Center (CNCERT/ CC). On this basis, establish a probability calculation model of information security incidents under Poisson distribution based on Bayes theorem. According to the probability mass function of Poisson distribution, calculate prior probability distribution of information security incident frequency. By constructing the likelihood function to adjust the prior probability distribution, and obtain posterior probability distribution of frequency of information security incidents.Secondly, in the paper, the VaR is applied to measure the risk loss of information security, we choose Monte Carlo simulation method to calculate the maximum loss of information security risks under certain confidence level (VaR). The convergence analysis and accuracy test are carried out to verify the effectiveness of the method. To make up for the insufficiency of VaR when measuring tail information security risks, we propose to use CVaR to measure the tail risk loss of information security, and the calculation method of CVaR are separately described when the yield follows different distributions. The accuracy check of the result is done for CVaR by setting a statistical variable.Finally, we choose the data of CNCERT/CC to calculate the probability of information security risks. According to the maximum possible loss (VaR) and average excess of loss (CVaR) calculated by risk loss model of information security, calculate the value of information security risks, verify that the quantification method of information security risk is feasible, and can effectively guide the construction of information security by this method.Results of this study may put forward new ideas for quantitative measurement of information security risks, enrich the measurement method of information security risks, and provide risk management theory and technical support. From the perspective of management, it can promote the optimal allocation of resources, make reasonable arrangements of capital investment of information security, construct information security with higher cost-effectiveness ratio, and reduce losses caused by information security incidents. From a technical point of view, it provides a probability calculation model of information security incidents and an idea to calculate value of security information risks. From the social side, through effective risk quantification, it make organizations and individuals have an intuitive understanding of information security risks, help protect information security of organizations and individuals, reduce the occurrence of information security incidents, so as to control the impact caused by information security, and safeguard social stability.