隨著風險管理議題逐漸受到重視，如何採用適切之風險評估方法來評估風險並進行控制，已成為企業組織首要目標。而目前一般常見的風險評估方法主要都是以資產為基礎，去評估潛在意外事件所可能造成的損失；由此可知，資產的識別與資產價值的評估在目前的風險評估方法過程中格外重要。
然而，目前多數的文獻中並未提及如何對資產價值進行正確性的檢查，為了解決這樣的問題，本研究透過改良式的流程圖介面，在評估過程中加入資訊資產在流程中的角色的考量，針對流程與資產、資產與資產之間的關係進行標示，以求改善資產價值評估之正確性。本研究主要分成兩個部分：第一部分會對可能受到關連性影響的資產重新進行評估其價值，並對資產的可用性、完整性與機密性要求標記不同的記號；第二部分則會利用這些標記訊息，重新校正各項資訊資產的價值，以求資產價值的評估能夠更加的準確，提升風險評估的效用，使得企業能夠採取更適當的控制措施，並全面改善企業營運面的資訊安全。

While risk management has been a hot topic recently, how to choose an appropriate risk assessment scheme for assessing risks and adopting effective controls to improve information security has become an important issue as well as an objective for organizations. In this case, most risk assessment approaches or schemes nowadays estimate the potential incidents and calculate the loss expectancies to the incidents by identifying the threats and vulnerabilities all based on assets. Hence, this systematic way for risk assessment what we called asset-driven risk assessment scheme is usually used to identify and assess risks of information security.
Although there are many guidelines for a person to evaluate value of an asset, current risk assessment schemes usually do not focus on how to validate the asset value evaluated by people. However, people may overlook some risks. Therefore, to keep or even enhance the accuracy and effectiveness of asset valuation, this study proposes a process-oriented approach for the organization to validate and adjust value of assets. It provides a way for organizations to depict their business processes and information assets used in the processes as flowcharts, about the relationships between asset and process. First, people can mark roles of assets based on the confidentiality, integrity, and availability requirement of the assets. And then, organizations can use the markings to validate and correct results of asset valuation. As a result, the information security will be promoted to a higher level.

[1] B. Blakley, E. McDermott, and D. Geer, “Information security is information risk management,” in Proceedings of the 2001 workshop on New security paradigms, Cloudcroft, New Mexico, 2001.
[2] M. E. Whitman, and H. J. Mattord, Principles of information security, 2 ed., p.^pp. 600: Cengage Learning, 2004.
[3] W. Lam, “Ensuring business continuity,” IT Professional, vol. 4, no. 3, pp. 19-25, 2002.
[4] A. Calder, and S. Watkins, IT governance: a manager's guide to data security and BS 7799/ISO 17799 3ed.: Kogan Page Limited, 2005.
[5] B. W. Boehm, “Software risk management: principles and practices,” Software, IEEE, vol. 8, no. 1, pp. 32-41, 1991.
[6] R. Holzmann, and S. Jørgensen, “Social Risk Management: A New Conceptual Framework for Social Protection, and Beyond,” International Tax and Public Finance, vol. 8, no. 4, pp. 529-556, 2001.
[7] G. Stoneburner, A. Goguen, and A. Feringa, "Risk management guide for information technology systems," NIST Special Publication 800-30, 2002.
[8] ISO/IEC, "Information technology -- Security techniques -- Information security risk management. ISO/IEC 27005," ISO/IEC 27005:2008 International Standard, 2008.
[9] C. J. Alberts, and A. J. Dorofee, Managing Information Security Risks: The OCTAVE Approach, Boston: USA: Addison-Wesley Longman Publishing Co., Inc, 2002.
[10] Z. Yazar, “A qualitative risk analysis and management tool - CRAMM,” 2002.
[11] F. L. Crespo, M. A. A. Gómez, J. Candau et al. "Methodology for Information Systems Risk Analysis and Management (MAGERIT version 2)," http://www.csi.map.es/csi/pg5m20.htm.
[12] S. Islam, and W. Dong, “Human factors in software security risk management,” in Proceedings of the first international workshop on Leadership and management in software architecture, Leipzig, Germany, 2008.
[13] ISO/IEC, "Information technology -- Security techniques -- Code of Practice for Information Security Management," ISO/IEC 27002:2005, 2005.
[14] ISO/IEC, Information technology - security techniques - management of information and communications technology security - part 3: Techniques for the management of IT security, ISO/IEC TR 13335- 3 Tecnhical Report, 1998.
[15] B. S. I. (BSI), "Information security management systems - part 3: Guidelines for information security risk management," BSI Standard 7799-3:2006, 2006.
[16] B. Suh, and I. Han, “The IS risk analysis based on a business model,” Inf. Manage., vol. 41, no. 2, pp. 149-158, 2003.
[17] J. H. P. Eloff, L. Labuschagne, and K. P. Badenhorst, “A comparative framework for risk analysis methods,” Comput. Secur., vol. 12, no. 6, pp. 597-603, 1993.
[18] COSO, Enterprise risk management - integrated framework: COSO Publications, 2004.
[19] M. E. Whitman, and H. J. Mattord, Management of Information Security, 2 ed.: Course Technology, 2007.
[20] K. J. S. Hoo, “How much is enough: a risk management approach to computer security,” Stanford University, 2000.
[21] ISO/IEC, "Information technology - security techniques - information security management systems - code of practice for information security management," ISO/IEC 17799:2005 International Standard, 2005.
[22] B. Karabacak, and I. Sogukpinar, “A quantitative method for ISO 17799 gap analysis,” Computers & Security, vol. 25, no. 6, pp. 413-419, 2006.
[23] V. L. Jacobson, Using CORA to implement the NIST risk management guide, 2002.
[24] P. J. Brooke, and R. F. Paige, “Fault trees for security system design and analysis,” Computers & Security, vol. 22, no. 3, pp. 256-264, 2003.
[25] U. S. D. o. Commerce, Guidelines for automatic data processing risk analysis, FIPS Publications 65, 1979.
[26] P.-y. Che, G. Kataria, and R. Krishnan, “Software diversity for information security,” in Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, 2005.
[27] H. Cavusoglu, B. Mishra, and S. Raghunathan, “The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers,” Int. J. Electron. Commerce, vol. 9, no. 1, pp. 70-104, 2004.
[28] B. Karabacak, and I. Sogukpinar, “ISRAM: information security risk analysis method,” Computers & Security, vol. 24, no. 2, pp. 147-159, 2005.
[29] M. S. C. o. E. S. Microsoft Solutions for Security and Compliance group (MSSC), The security risk management guide v1.2, 2006.
[30] L. A. Gordon, and M. P. Loeb, “The economics of information security investment,” ACM Trans. Inf. Syst. Secur., vol. 5, no. 4, pp. 438-457, 2002.
[31] K. Hausken, “Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability,” Information Systems Frontiers, vol. 8, no. 5, pp. 338-349, 2006.
[32] ISO/IEC, "Information technology - security techniques - information security management systems - requirements," ISO/IEC 27001:2005 International Standard, 2005.
[33] CCTA, CRAMM Management Guide Issue 1.0, UK government’s Central Computer
and Telecommunications Agency, 1996.
[34] F. Braber, I. Hogganvik, M. S. Lund et al., “Model-based security analysis in seven steps --- a guided tour to the CORAS method,” BT Technology Journal, vol. 25, no. 1, pp. 101-117, 2007.
[35] C. J. Alberts, and A. J. Dorofee. "OCTAVE(sm) Method Implementation Guide Version 2.0," http://www.cert.org/octave/.
[36] K. Holtzblatt, “Innovating organizational processes: a practical approach,” in Proceedings of the 17th Australia conference on Computer-Human Interaction: Citizens Online: Considerations for Today and the Future, Canberra, Australia, 2005.