中文摘要：

针对只考虑单资产风险的评估不能客观反映信息系统真实安全水平的问题,提出一种基于资产相关性的信息安全风险评估模型。分析资产与资产、资产与业务关系,建立资产关系模型;采用粗糙集属性重要度概念,对决定资产价值的安全属性进行权重分配,计算各个资产价值;基于资产相关性,融合资产的威胁、脆弱性和已有安全措施,计算信息系统的风险值。实例验证结果表明,基于资产相关性的风险值计算结果与信息系统面临的实际风险相一致,与传统计算模型比较结果显示,所提模型在反映信息系统安全水平方面更为客观合理。

英文摘要：

In view of the problem that single asset risk assessment can not reflect the real security level of information system,an information security risk assessment model based on asset correlation was proposed.Analysis was conducted on the relations assets and assents,assets and business,and an assets relation model was built.The concept of rough set attribute importance degree was used to determine the security attributes of the asset value,and each asset value was calculated.Based on the correlation between the assets,combining assets threat,vulnerability and the existing security measures,the information system risk value was calculated.Examples show that the calculation results of risk value based on asset correlation are consistent with the actual risk of information system.Compared with the traditional calculation model,the results show that the proposed model is more objective and reasonable to reflect the security level of information system.