What are the theories and tools of information security risk assessment?

At present, some generalized and traditional risk assessment theories (not specifically aimed at information system security) have been put forward internationally. From the calculation methods, there are qualitative methods, quantitative methods and partial quantitative methods. From the means of realization, there are technologies based on "tree" and dynamic system. Examples of various methods are as follows. Qualitative methods are: 1. Preliminary risk analysis) 2. Hazard and operability study (HAZOP) 3. Failure mode and impact analysis. (FMEA/ FMECA) Tree-based technologies include: 1. Fault tree analysis) 2. Event tree analysis) 3. Causal analysis. Manage the risk of failure. Management and supervision risk tree) 5. Dynamic system safety management organization review technology includes: 1. Try method (Go method) 2. Digraph/ Fault Graph) 3. Markov Modeling) 4. Dynamic event logic analysis method. Analysis of existing dynamic event tree. Information security assessment tools can be roughly divided into the following categories: 1. Scanning tools: including host scanning, network scanning and database scanning, used to analyze common vulnerabilities of the system; 2. Intrusion detection system (IDS): used to collect and count threat data; 3. Penetration testing tools: hacking tools, which are used for manual penetration and evaluation of deep-seated vulnerabilities in the system; 4. Host security audit tool: used to analyze the security of host system configuration; 5. Safety management evaluation system: used for safety interviews and evaluation of safety management measures; 6. Risk comprehensive analysis system: based on basic data, it makes quantitative comprehensive analysis of system risks and provides functions such as classified statistics, query, top N query, report output, etc. 7. Tools for evaluating supporting environment: evaluation index base, knowledge base, vulnerability base, algorithm base and model base. Looking at the present situation of these theories and tools, the existing problems are: there is still a lack of depth in modeling, formal description and proof; How to use generalized theory in risk assessment; How qualitative and quantitative theoretical methods are more effective; How do the results of tool application reflect the essence, measure effectively and accurately? How to comprehensively coordinate the use of tools? Author: unknown