Abstract: Risk assessment has become an important part of information security management process. The method for risk assessment impacts the veracity and objectivity of the results, and also impacts the overall information security capacity of the organization. At present, many assessment methods only analyze threats and vulnerabilities of single asset, and the means to acquire the risk is questionnaires or matrix. They don’t provide systematic and objective risk value based on objects. This paper present a method of risk assessment based on combined objects, which adopts qualitative and quantitative means. This method resolves those problems and provides reasonable formula for computing the risk value.

Key words: information security, risk assessment, threat, vulnerability

摘要： 风险评估已经成为信息安全管理的重要组成部分，其方法的选择直接影响着风险结果的准确性和客观性，进而会影响到组织的整体信息安全水平。目前很多评估方法仅能对单个资产的威胁和脆弱性进行分析，并直接采用调查问卷或矩阵的方式得到风险，而没有从面向对象的角度给出威胁相对于系统的客观的整体风险值。本文提出了一种针对组合对象的定性与定量相结合的风险评估方法，有效解决了上述问题，并给出了合理的风险计算公式。

关键词: 信息安全, 风险评估, 威胁, 脆弱性