近年來,由於資訊技術及資訊處理環境不斷的變化,除了應用資訊技術提升業務執行的效率,資訊安全的議題也逐漸成為組織關注的焦點,為了因應組織對於資訊安全的需求,學者們提出許多風險評鑑方法,不單單以技術角度審視資安風險,而是透過全方位的視角考量組織可能面臨到的資訊安全疑慮。這些評估方法的目標為分析組織內可能會遭遇的資訊安全風險,並利用風險評鑑的結果了解哪些資產與風險需要優先進行處理,藉以降低潛在威脅發生的機率及可能造成的衝擊程度。本研究將詳細介紹五種風險評鑑方法:CORAS、OCTAVE、IS risk analysis based on a business model、ISRAM及ISO 27005,其中某些方法需要軟體套件或系統的支援,以提升風險分析過程的效率,最後將針對這些風險評鑑方法進行比較,透過比較的結果,當組織欲導入風險評鑑時,可視實際運作情形選擇適當的評鑑方法,以降低不必要的成本支出。
In recent years, information technologies and information processing environments evolve rapidly. Therefore, organizations need to pay more attention to the information security issues. In order to satisfy the organizations' needs, many security risk evaluation methods were proposed. The major objectives of those methods are analyzing the security risks of an organization and setting the treatments priorities. Based on the risk assessment results, organizations could reduce the potential threats and impacts. In this paper, we will introduce the following five risk assessment methods in detail: CORAS、OCTAVE、IS risk analysis based on a business model、ISRAM and ISO 27005. Some of those methods require the system support to improve the efficiency of risk analysis processes. In the end of this paper, we will compare those methods and make some conclusions. Organizations can choose the most appropriate method according to our comparisons.