由於網際網路的發達使得資訊安全的議題越來越受到重視,資訊安全的風險管理亦倍受關注,藉由資訊風險評估可以讓我們暸解整體資安的風險,並提出相關的因應措施,以期能將殘餘風險降至最低。目前多數的安全風險研究多以非量化屬性來呈現風險的嚴重度,在此我們以決策樹安全指標量化模型,搭配量化的統計資料及質性問卷調查來計算風險。一般的質性研究雖然比較容易實施,但不容易得到一個可以一般化(Generalized)的結果,例如風險常分為:低、中、高,三個等級,此結果往往過於主觀,且沒有真正的風險數據,使用機率的量化模組來評估風險,能讓結果更為客觀。 在實務上很多量化的統計數值不易取得,而質化資料又過於主觀,因此本研究選擇了混合模型來計算風險,量化資料(Quantitative Data)由系統統計值或國家行政單位得知,如內政部消防署火災統計表,質化資料(Qualitative Data)則使用問卷量表取得組織中專家的意見,評估完後再加上與驗證組織人員的訪談,確認這些風險是否存在。驗證後發現,殘餘風險的數值可讓資訊部門管理者知道目前最迫切需要注意、改善的風險。
Because of the Internet technology arise, the issues of information security become more and more important each day, bring risk assessment in practice to help enterprise examine overall information risk, and then take action to be the countermeasure, expect to reduce the residual risk in risk management. Many security risk templates adopt nonquantitative attributes to express risk, in this study using the decision-tree model to quantify risk with both quantitative (Statistical report) and qualitative (Self-Administered questionnaire) data. Although qualitative approach is easier to implement, it will difficult to trace a generalized results which is subjective and lake of actual figures. Purely quantitative data depend on statistical reports or logs, those data is limited, we employ the hybrid decision-tree model to quantify the risk of computer room security. After the empirical study and verify the residual risk with evaluators, we found those residual risk can effective help business to understand and reduce their risk.