Risk Assessment Method Based on Business Process-Oriented Asset Evaluation for Information System Security

摘要

We presented risk assessment methodology focused on business-process oriented asset evaluation and qualitative risk analysis method. The business process-oriented asset evaluation is to evaluate asset's value by the degree of asset contribution related to business process. Namely, asset's value is different according to the importance of department to which asset belongs, the contribution of asset's business, and security safeguard, etc. We proposed new asset's value evaluation applied to the weight of above factors. The weight is decided by evaluation matrix by Delphi team. We assess risk by qualitative method applied to the improved international standard method which is added the effectiveness of operating safeguard at information system. It reflects an assumption that they can reduce risk level when existent safeguards are established appropriately. Our model derives to practical risk assessment method than existent risk assessment method, and improves reliability of risk analysis.