Based On Expert Ratings And Regression Analysis Of Information Security Risk Assessment Methods

With rapid development of information technology, the information system has been widely apply in government, national defence and economic sphere etc. and the operation of the society has been more and more depended on information system. The security problem of information system is more and more related to the economic development and national defence ete...Therefore, evaluating risk effectively, selecting effective defence measures and defending information threats actively are the key points of resolving security problems of information system. As a result of composition and the logical relations complexity of the information system, and china's information security risk assessment work has just started the specific assessment methods, index system support software, and so is very imperfect or the lack of realistic operational. For the value of assets, vulnerability and its threats assets, this paper presents a new and good operational risk assessment methodology.The article based on "GB-Information Security Risk Assessment Standards," while making references to the foreign good information security risk assessment criteria, For some authors used the maximum value as the representative in risk assessment, the article uses the average as its representative value, and also in assessing the value of assets, the article increase the weight of indicators for the CIA's assessment. In addition, the article add more references indicators in vulnerability and threat assessments. For example, in the vulnerability assessment, we must refer to the affiliation, exposures to assets, the technology difficulty of achieving. In the threats assessment, we must refer to the degree of threatening risk to assets, the risk to the institution, attack restoration costs, prevention costs, and such as the threats name, threatening objects, the threat subjects.The article use Delphi method to build expert scoring models, The model is applied to score the value of the assets (including confidentiality, integrity, availability), threats and vulnerabilities and other elements. Based on expert knowledge and experience, passing several rounds of consultation,feedback and adjustments, the estimated value will be closer to the true values, the result will be more authoritative, and it guarantee result's high reliability and validity.The article studies the relationship between the elements of risk assessment through relevant, conducts an overall estimate of sample data through regression analysis, estimates the overall regression model and the overall regression equation of risk calculation, and we conduct model test and parametric test in order to ensure its accuracy, this method solves the problem of quantitative risk assessment to certain extent. The article is divided into six parts, The first part discusses the research background, research objective and method, and research status of domestic and international information security risk assessment, the purpose and significance. The second part is based on China's "GB-information security risk assessment standards" and "ISO/IEC TR 13335-3" and "ISO/IEC 17799, ISO/IEC27001", elaborates information security risk assessment concepts and definitions, elements and the relational models, risk assessment process, risk analysis principles and evaluation methods. The third part build an expert score mode of information security risk assessment based on Delphi method. By building the expert group and taking expert scoring, conduct risk assessment to asset values, vulnerabilities, threats to obtain sample data of risk assessment. The fourth part is empirical research, the expert assessment models are applied to the Guangxi Unicom BSS systems, according to the introduction of risk assessment methods and processes in the second part, selection a key asset of BSS system, carry out risk assessment to the value of assets, vulnerabilities and threats to obtain sample data. PartⅤcontinues completion of empirical research by using correlation analysis and regression analysis methods in combination, and using the sample data of the fourth to estimate the regression model and regression equation based on SPSS, through model testing and parameter testing to test its feasibility. PartⅥsummary the article, and made plans for next step research work.