A risk recommendation approach for information security risk assessment

Nowadays, information security becomes a critical issue on protecting the benefits of business operation. Many organizations introduce security risk management to ensure the security of business processes. However, in the processes of risk assessment, it is difficult and time-consuming to identify the threats and vulnerabilities for each asset. Furthermore, if the identified results diverged from the real situation, the organization may implement unnecessary controls to prevent the non-existing risk. In order to resolve these problems, we adopt data mining approach to find the relationship between asset and threat-vulnerability. And then, we propose a recommendation scheme for assisting user identifying threat and vulnerability. The experiment result shows that our recommendation mechanism can improve the efficiency and accuracy of the risk assessment.