In order to exploring the inherent rule of information security risk assessment development, based on information system or asset structure and operation status, a survey is proposed in which the common risk assessment methods are divided into four types: vulnerability identification and risk assessment, risk factors simulation and risk estimation, security situation assessment, the risk calculation based on business process analysis. The method on delving into the information system of the highest level structure--namely business process structure and change is advocated, on which business operating performance indicators are regarded as risk scale, so real-time and dynamically information security risk calculation is obtained. Finally, Based on an understanding of the information system structure and utilization, combined with feedback control theory, three levels of judgment is defined which positions information security risk assessment method status, and the information security risk assessment study on the return to the rule of non-linear system.
[1]
Zhang Yu-qing.
Survey of information security risk assessment
,
2004
.
[2]
He De-quan.
Security Risk Evaluation for IT Systems Based on the Markov Chain
,
2007
.
[3]
Yao Shuping.
Research on Network Security Evaluation Technology Based on Attack-defense Confrontation
,
2007
.
[4]
Wang Hui,et al.
Survey of Network Situation Awareness System
,
2006
.
[5]
Zhihu Wang,et al.
Study on the risk assessment quantitative method of information security
,
2010,
2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).
[6]
He De-quan,et al.
Review on Study of Risk Evaluation for IT System Security
,
2006
.
[7]
Guan Xiaohong,et al.
Quantitative Hierarchical Threat Evaluation Model for Network Security
,
2006
.
[8]
Xu Shi-chao.
Research on the Evaluation Method of the Network Security Situation Based on AHP
,
2008
.