Intentional or unintentional improper operations or malicious attempts to destroy information systems face many risks, all of which are caused by information security problems.
Root cause. Because of the openness of computer network, the complexity of information system and the continuous development, vulnerability and threat of information technology.
Threats exist objectively, information systems are not absolutely safe, and risks always exist. Risk is a measure of security, if
If the risk is unacceptable, it is dangerous and unsafe; If the risk is acceptable, it is safe. In order to solve the security problem
Problems, we must take various targeted measures to reduce or eliminate risks.
The value and importance of information system and its resources make people have to ensure its safe operation and controllability. Have no value, make
There is no need to protect valuable things, so there is no security problem. Value of information system and information system components
Vulnerability has both internal and external causes, such as improper operation by users or malicious destruction by attackers, which constitute the risk of information systems. each
Different information systems have different resources, different vulnerabilities and different threats, so the types and sizes of risks are different.
Yes The openness, complexity and dynamics of information system determine that information system risks exist widely for a long time and are constantly developing and changing.
Yes, even in the same information system, risks will change due to factors such as upgrading or business changes. The safety measures are
There is no panacea for all diseases. In order to achieve security goals, it is necessary to clarify the risks faced by information systems.
Deal with risks in a targeted manner.
On the other hand, we can solve the problem of information security based on the reality of cost and benefit and the continuous development of information technology.
The idea of the topic is not to put all the manpower, material resources and financial resources into fighting all the risks, to completely reduce the risks to zero and to achieve absolute safety.
(in fact, it is impossible to achieve absolute security), but to reduce the risk of information systems to an acceptable level, so that
The goal is to improve the security of information systems. In order to achieve this goal, we must know what risks the information system faces, and then
How likely is it to happen? This is the basic content of information system risk assessment.
The inherent vulnerability of information system components, external threats and the value of information system are the elements that constitute risks.
These elements will exist widely for a long time, so the risks are long-term and extensive. The existence of risks is the root of information security problems.
This reason. Only by understanding the risks can we reduce and confront risks, prevent or reduce the occurrence of security incidents and reduce the occurrence of security incidents.
This requires a risk assessment.