Abstract: In the field of information security，risk assessment is the core of the risk management and control，also is the foundation and premises that builds up the safe system of the information system.This paper analyses the standards and process of information security risk assessment，and proposes a quantitative security risk method ISSREM（Information System Security Risk Evaluation Method），based on threat analysis.ISSREM has features such as easily operative，independent，practical and the evaluation results comparable.And the sensitivity analysis of threaten frequency is presented，which makes the evaluation results more objective.This paper gives the calculation model of the method and the main procedures of risk evaluation using the method.Finally，with examples to analyze the quantitative assessment method，this paper validates the rationality and effectiveness of the method.

Key words: information system, risk assessment, threat analysis, quantitative analysis, sensitivity analysis

摘要： 在信息安全领域中，信息风险评估是风险管理和控制的核心组成部分，是建立信息系统安全体系的基础和前提。分析了信息安全风险评估的标准及流程，提出一种基于威胁分析的量化风险评估方法ISSREM。该方法采用多属性决策理论，计算信息系统相对威胁程度，有利于评估者进行比较和选择，通过对威胁频率的灵敏度分析，使评估结果更具客观性和准确性。给出ISSREM的计算模型及用该方法进行风险评估的主要步骤，并结合实例对该定量评估方法进行分析，验证了该方法的合理性与有效性。

关键词: 信息系统, 风险评估, 威胁分析, 定量分析, 灵敏度分析