期刊名称:International Journal of Security and Its Applications
印刷版ISSN:1738-9976
出版年度:2014
卷号:8
期号:5
页码:21-30
DOI:10.14257/ijsia.2014.8.5.03
出版社:SERSC
摘要:Risk evaluation is the core process of information security risk management. An effective risk evaluation can protect organizations and maintain their abilities to carry out missions and activities against threats as well as helping to implement controls and safeguards that are actually needed. While the traditional information security risk evaluation approaches are lack of granular analysis and clear expression of security characteristics of risk, such as the possibility, attack path, and business impact. This paper presents the scenario-based information security risk evaluation method, based on the thought of Advanced Persistent Threat (APT) attack, by constructing risk scenario, evaluate information system security risk status. The separation analysis of the technical impact and business impact contribute to the technicians and business decision makers to grasp system risk status from their respective responsibilities. In the end of the paper, we propose a practical risk scenario construction example, which provides scientific and effective guidance for the preparation of a risk evaluation report.
关键词:risk evaluation; risk scenario; business impact; vulnerabilities; asset value ; chain; risk integration
