Keywords: risk assessment, Analytic Hierarchy Process, information security
IntroductionInformation security risk management is the overall process that identifies and analyzes the risk of being exposed to the organization, provides an assessment of the potential impact on the business, and takes measures to eliminate or reduce the risk to an acceptable level [1]. Information security risk assessment is a stage of information security risk management. Information security risk management depends on the results of risk assessment to determine the subsequent risk control and approval activities. There are many risk assessment methods, which can be divided into three categories: the qualitative risk assessment methods, quantitative risk assessment methods, comprehensive assessment methods which combine qualitative with quantitative assessment methods [2]. In reference [3], the key issues during the process of information security risk assessment are proposed and the quantitative methods of risk assessment are studied. In reference [4], a quantitative method based on expert judgments, fuzzy logic and analytic hierarchy process is used to evaluate the impact and possibility values for specific threats. In reference [5], the Bayesian network is introduced into information security risk assessment system to establish the risk analysis model. In reference [6], the information security risk assessment approach based on two stages decision model with grey synthetic measure is proposed to solve the fuzziness and uncertainty from many aspects.However, there are too many elements in the process of information security risk assessment, which makes the calculation of risk value more complicated and cumbersome. How to find the more important elements of assessment from many elements to simplify the calculation of risk value and provide a strong basis for taking relevant measures, which is a problem needs to be solved. In addition, the reliability of the risk assessment results can not be guaranteed only through a single qualitative or quantitative assessment method due to the fact that the qualitative assessment methods are too subjective and rough and some risk elements may be misunderstood or misinterpreted in the process of quantitative assessment, which will have great influence on the accuracy of the evaluation results [7].By AHP, the relative weight of elements related to information security risk can be calculated. Then the optimal indicators, which can simplify the calculation of risk value, can be