Knowledge-based information security risk assessment method

Abstract

It is an important function for managers to keep away from information security risks. With the increasing complex and scale of information systems, information system security risks may be more difficult to assess and strategies for risk reduction may be lack of objectivity. To solve this problem, this paper proposes a knowledge-based information security risk assessment method in which basic rules and specific rules are defined to match every asset, threat and vulnerability. Basic rules are defined as the rules without influence of external relationships. Specific rules are defined as the rules by user group. Performance analysis shows this method could increase efficiency and ensure accuracy of risk assessment.