A scenario-based information security risk evaluation method

Abstract

Risk evaluation is the core process of information security risk management. An effective risk evaluation can protect organizations and maintain their abilities to carry out missions and activities against threats as well as helping to implement controls and safeguards that are actually needed. While the traditional information security risk evaluation approaches are lack of granular analysis and clear expression of security characteristics of risk, such as the possibility, attack path, and business impact. This paper presents the scenario-based information security risk evaluation method, based on the thought of Advanced Persistent Threat (APT) attack, by constructing risk scenario, evaluate information system security risk status. The separation analysis of the technical impact and business impact contribute to the technicians and business decision makers to grasp system risk status from their respective responsibilities. In the end of the paper, we propose a practical risk scenario construction example, which provides scientific and effective guidance for the preparation of a risk evaluation report.