摘要： 风险评估作为信息安全管理流程中最关键的步骤之一，需要一套科学的模型来保证其有效实施。研究和制定风险评估的模型、算法和流程成为当前研究的热点问题。该文依据ISO/IEC通用标准及一些商用标准，提出了一种较为科学且行之有效的风险评估模型和算法，并且描述了风险评估的流程，对组织自评估有很好的参考意义。

关键词: 风险评估, 模型, 算法

Abstract: As one of the key steps of IT security management, risk assessment, on which more and more attention is paid, needs an scientific model to guarantee its effective implementation. This article, according to a series of ISO/IEC and commercial standards, introduces an effective risk assessment model and its algorithm, describes the steps of implementation, which offers a good reference to organizing self-assessment.

Key words: Risk assessment, Model, Algorithm