CAJ | 학술논문

由于当前主流的信息安全风险评估方法仅关注系统组件的风险，很少立足于业务风险视角，难以满足业务人员、组织管理者等不同层面人员对信息安全风险的理解。文中提出了一：仲层次化风险评估方法来量化风险，该方法将信息系统安全风险分为组件级、系统级和组织级3个层面，分别关注系统单一组件的风险、单个信息系统风险和多个信息系统构成的组织总体风险。通过对3个层次风险的逐层分析，使得风险分析结果更为全面和客观地反映安全风险评估的层次化需求。
유우당전주류적신식안전풍험평고방법부관주계통조건적풍험，흔소립족우업무풍험시각，난이만족업무인원、조직관리자등불동층면인원대신식안전풍험적리해。문중제출료일：중층차화풍험평고방법래양화풍험，해방법장신식계통안전풍험분위조건급、계통급화조직급3개층면，분별관주계통단일조건적풍험、단개신식계통풍험화다개신식계통구성적조직총체풍험。통과대3개층차풍험적축층분석，사득풍험분석결과경위전면화객관지반영안전풍험평고적층차화수구。
The current methods for risk assessment of information security concern only the risk of system components, base seldom on business risk perspective. Thus, it is difficult to meet the comprehension on information security risk by the people from different levels. Such as the operational staff, organization＇s management personnel. This paper proposes a hierarchic risk assessment method for quantifying the risk, and this method divides the information systems security risks into three levels including component level, system level and organizational level, and these levels respectively pay attention to the risk of a single component, the risk of a single information system and the organization＇s overall risk constituted by multiple information system. Through level-by-level analysis on these three levels of risk, the risk analysis results could more comprehensively and objectively reflect the hierarchic requirements in security risk assessment.