1. Establish an effective risk analysis model.
In the process of risk assessment, the risk analysis model used by atsec will include multiple levels in order to conduct risk assessment more effectively. The model method is as follows: the possibility of risk occurrence, initial control measures, the impact of risk occurrence on customer business, the impact of risk occurrence on customer brand and the impact of risk occurrence on customer income. For the specific analysis process, the appraiser will start with the influence of brand, income and customers according to interviews, penetration and relevant information input. The allocation of each option is determined according to the criteria in the method. The following figure shows an example of threats to databases and application systems during the whole risk assessment process:
2. Use semi-quantitative risk calculation method.
Because the threat itself is constantly changing and difficult to measure, it is suggested to use semi-quantitative testing method wisely. In the specific implementation process, atsec's approach is to semi-quantitatively rate the evaluation results of each threat, and further make the final evaluation results more accurate through risk calculation methods. Due to space reasons, the specific risk calculation method will not be developed here.
3. Use automated risk calculation tools.
Based on risk assessment, in the implementation process, atsec uses self-developed calculation tools to minimize the workload occupied by risk calculation.
4, maximize the use of auxiliary tools
In the process of evaluating technical threats, such as the security of key accounts and passwords, it is often difficult to make accurate judgments through management interviews. In a similar process, atsec will use various auxiliary tools and means as much as possible, such as password security verification and technical loopholes in the server.