The Research Of Information Security Risk Assessment Model And Method

The information security management is complicated system engineering, and the information security risk assessment, which is the foundation and premise of the information security, plays an important role in this system engineering. This paper is made up of three parts: In first part, the paper introduces the basic knowledge of the information security and the common standard (include the technique standard and management standard) relates to information security risk evaluate; In the second part, a multilevel synthesis quantification evaluation model of information security is recommended based on layer structure with the theories and methods of the system engineering; In the third part, the paper emphasizes the study of information security risk quantification assessment model based on assets, threats and weaknesses. These three parts relate each other closely and the information security risk quantification assessment model is researched deeply.The creativities of this paper about the method of information security risk evaluation lie in the following two factors:On one hand, the gray theory is applied in this quantification evaluation model and the proposed model is established applying AHP, gray evaluation method and fuzzy evaluation method synthetically, while considering about relative importance and interrelation among security factors. As a result, the proposed model offers a simple, reliable and effective quantification model for information security evaluation system.On the other hand, the paper applies the Value at Risk (VaR) model and Conditional Value at Risk (CVaR) model, usually used in the finance risk analysis field, into information security risk assessment. At the same time, the threaten occurrence frequencies are simulated by Poisson distribution and normal distribution in this paper. Because Poisson distribution is hard to calculate when threaten occurs frequently, the paper use normal distribution simulates the threaten occurrence frequencies instead of Poisson distribution. So the tail risks are analyzed using CVaR method. The proposed model uses the real value to measure the loss of security risk, and the result can be used in the information security risk investments decision directly.