A security evaluation model and toolkit for enterprise information systems

Information system security is a key issue for the continuousness of the enterprise operations. Although many enterprises have invested lots of resources in security, most of them are lack of methods to evaluate whether the information systems are secure enough. The complexity of information systems makes the evaluation a hard task. To improve the security evaluation of information systems, we define three kinds of security elements according to their complementary, correlated or independent characters. The dependency and the correlation relationships between the products in information systems are introduced. Based on these conceptions as well as the properties of access paths, a formal evaluation model for information system security is put forward and a security evaluation toolkit is developed accordingly.