关键词: 信息安全, 风险评估, 可拓集, 关联函数

Abstract: In the process of information security risk assessment, there are complex relationships between risk elements and it is also difficult to accurately measure risk evaluation factors. The paper proposed a risk assessment model which took threat as a center to organize risk elements and a risk evaluation method based on extensible set. The model displayed a hierarchical structure for system risk, in which the possibility and consequences of threat were evaluated by three risk factors - asset, vulnerability and control measure. Based on this model, the extensible set method translated qualitative determination into quantitative result by mapping qualitative expression to interval and using interval dependent function and made a qualitative judgment according to a quantitative risk-correlation vector, and therefore, could combine quantitative and qualitative methods to evaluate system risk. A specific example illustrates that the method is feasible and effective.

Key words: information security, risk evaluation, extensible set, dependent function