| Risk assessment is an important part of information system security project. From the point of view on risk management, it uses qualitative and quantitative analysis methods to systematically analyze the man-made or natural threats which information and information system may face. It also analyze the damage which threats may lead to. Then, improvement measures and protection measures which are against the threats are proposed to minimize economic losses and negative impacts.The status quo of the risk assessment is researched and popular international risk assessment standards are analyzed in this dissertation. In order to avoid unilateral problems which single assessment methods lead to, a combination assessment method which is based on hierarchical subdivision is proposed to eliminate the inconsistency problem. Making information assets digitized and standardized, This dissertation proposes a method-filter model to choose suitable risk assessment methods for different application systems automatically. This dissertation proposes a method-filter model to choose suitable risk assessment methods for different application systems automatically. Finally, another fuzzy analytical hierarchy process (FAHP) can be used to combine the assessment value and get the risk assessment conclusions according to the actual situation. To sum up, the researches mostly express as follows.(1) A new risk assessment framework based on combination assessment method is proposed. This framework defines the identify norms of the risk elements, proposes a unified data format of assets, vulnerability and threat. It also defines the calculation process from the value of single risk cases to a system value. At last, the proposed framework sets up a hierarchical structure. Based on the hierarchical structure, FAHP (Fuzzy Analytical Hierarchy Process) is used to assemble the assessment value and then the assessment report is produced.(2) An efficient algorithm to choose suitable assessment methods is proposed. In the area of information security assessment, the choice of methods is the precondition of a scientific assessment process. This dissertation combines the fuzzy integrated assessment method and DEA (Data Envelopment Analysis) model together to evaluate the validity of risk assessment methods. (3) A risk assessment system based on the combination of risk assessment model is specifically designed and developed. According to the proposed model, this dissertation developes a comprehensive risk assessment system in which the entire process of risk assessment is completed and the former algorithm and framework are achieved. Finally, the risk assessement system is used to assess a GIS system and gets a satisfied assessement report. |
PDF Full Text Request