Abstract: In order to accurately evaluate the impact to business，which is from the risk of information security，this paper provides a method based on the state changes of business activities.This method explains the impact that the state transition of information system makes the delay of business procedure when this risk is being solved，and makes the delay as a benchmark to evaluate the impact of risk to business.The business procedure delay is one of the most critical indicators.In the end，this paper proves the accuracy of this method by the analysis of example.

Key words: information security, risk evaluation, business process, business risk

摘要： 为精确计量威胁发生可能导致的影响，提出了一种基于业务活动状态变化的信息安全风险计算方法。该方法将威胁发生对业务的影响归结为求解信息系统的业务活动的状态跃迁，以及这种跃迁导致的业务流程时间延迟问题，并以延迟时间为基准来度量业务影响。业务流程时间是最关键的业务运营绩效指标之一，这确保了该方法具备工程实践意义。最后，通过应用实例分析结果，证明了提出的风险计算方法的精确性。

关键词: 信息安全, 风险评估, 业务流程, 业务风险