The Research Of Information Security Risk Assessment Method Based On Fault Tree

Along with the development of the information age, internet becomes to the necessary component for people in the field of work and life, at the same time, security of secret information for people has been threatened. Security of information couldn't be ignored. According to the evaluation of risk for information security we can recognize the risk value. In order to avoid or transfer or lower the risk to an acceptable level, we can establish appropriate policy for information security and take appropriate controlling target and mode to control the risk. Thereby the key of this dissertation is to evaluate the risk of information security and design the model for risk evaluation.Aiming at the needs of information system security for people, in this dissertation I compare some methods used frequently for evaluating the risk of information security with each other and introduce the fault tree analysis that has been used in the industry field to analysis the complex system effectively. Aiming at the characteristics of fault tree analysis, I choose standard of BS7799 as foundation to amend and select after studying the domestic and overseas security evaluation standards. In this foundation, we establish the fault tree method in usability and integrality and confidentiality. By adjusting the right of that model, we match the different degree of sensitivity and the distinctness of demand in corporation,government,army and school. In order to evaluate the results impersonally and equitably, we adopt the combination of qualitative analysis and quantitative calculation to express the risk faced to the expression system. In this model, we adopt tree configuration to analysis hazardous event in order to be understand conveniently by the experts to analysis, and easy to understand the form of risk system by the evaluating user.Based on the description of the probability of top event and bottom event of fault tree, we find the importance degree of minimal cut sets of fault tree and calculate the importance degree of bottom event. Accordingly we can analysis and compare quantificationally and afford the effective method to hunt for the key fountain of system fault. Based on the theoretic studying, we develop the collection system of fault information and assistant analysis system of fault tree. Using the above-mentioned 2 systems and at the participation of experts in the risk evaluation of the auto information systems used in command of the army, it is be proved that the method is feasible and effective.