Design of a computer-aided system for risk assessment on information systems

The Internet creates an efficient environment for businesses to conduct transactions, while also creating a channel for outsiders to access organizational assets. To determine the reasonable amount of security investment, security officers would conduct risk assessment to evaluate the risk values in existing systems. In traditional risk assessment processes, however, heavy dependence on human experts leads to difficulties in automating risk assessment. We propose a transaction based computer aided system to facilitate risk assessment on information systems. The proposed system evaluates assets with business transactions, which facilitates the procedures of asset evaluation. The likelihood model used by the system can assist the risk analysts in conducting what-if analyses to determine risk values. Therefore, the proposed system contributes in enhancing the level of automation regarding risk assessment.