風險評鑑為進行資訊安全管理前的一個重要步驟。風險通常為一主觀判斷,是以常用定性風險分析作為風險評鑑之方法。然而現行風險分析方式,常有遺漏重要資產的現象發生。為此,本研究將指出風險分析定性方法的問題,特別例舉出在資產價值表達之合理性與風險排序上不一致性現象加以探討,歸結出在風險分析處理上應謹慎之處。並檢視資訊安全常用的國際標準與指引之做法,提出使用定性風險分析方法之建議,以作為執行風險評鑑之參考。 Risk assessment is a critical step before performing information security management. Usually, risk is a subjective judgment, hence qualitative risk analysis methods are widely use for risk assessment. However, important information assets are often being omitted while using many popular risk analysis methods. For this reason, this thesis will point out the problem in using qualitative risk analysis methods, especially in rationality of assets calculation and the rank reversal phenomenon. The cautious when using qualitative risk analysis methods are then being addressed. Furthermore, the most common referred international standards and guides are reviewed. Suggestions for using those methods are also proposed.
