A method for evaluating risk based on an asset analysis focused on a business process for security of an information system is provided to realize strict risk management by enabling an organization to expect a practical and correct risk analysis result value in consideration of business characteristics of the organization and an environment of the information system. A qualitative asset price is converted into a qualitative asset price(S100). A reference for weight of a secondary classification factor is determined in relation to a business process(S200). An asset is evaluated based on the qualitative asset price and the weight(S300). The reference for the risk and the security is determined(S400). The risk of the asset evaluated based on the reference for the risk and the security is evaluated(S500). The qualitative asset price is converted into the quantitative asset price based on a purchase cost, an annual operation expense, or a substitution cost.
展开▼