Factor identification and computation in the assessment of information security risks for digital libraries

Abstract

This study proposes an objective methodology for identifying and computing the factors relevant to the assessment of information security risks for digital libraries that is also compliant with the ISO 27000 and the GB/T 20984 standards. By introducing a fuzzy comprehensive assessment method and an expert investigation method to the dimensions of assets and threats, this study proposes a model for computing the value of assets and the severity of threats. In the dimension of vulnerabilities, a vulnerability computation model based on the multi-channel weighted average method is proposed. By considering the digital library of a typical public library in China as the object of assessment, this study acquires assessment data by using a combination of a questionnaire survey, an on-site survey and vulnerability scanning. Research findings consisted of the following: (1) the digital library identified a total of 3111 information security risk items; (2) according to the assessment results attained using a combination of the factor identification and computational methodologies proposed here in conjunction with the multiplicative method specified in GB/T 20984, the high-risk (or higher risk) items accounted for 0.9% of all risky items, which is consistent with the status quo in information security risks faced by digital libraries. The analysis showed that the proposed methodology is more scientific than the currently prevailing direct value assignment method.