摘要： 提出用于定量测量风险处理计划有效性的ARCE模型，从理论上证明该模型的正确性。以组织信息安全资产的风险值和已实施控制措施为输入，通过中间变量矩阵得到风险处理计划有效性矩阵的模型量化指标体系。模型实现过程包括风险评估、风险处理、定量测量、安全事件管理和报表5个部分，并给出实施流程。应用结果表明，该模型能准确测量风险处理计划的有效性。

关键词: ARCE测量模型, 量化指标体系, 风险矩阵, 风险管理, 风险评估, 风险处理计划

Abstract: This paper proposes a novel model called ARCE(Assets Risk Value & Control Measures Effectiveness). Correctness of the model is proved theoretically. A quantitative ARCE index system is proposed, with the input of organization’s information security assets risk value and control measure implemented, and the output of risk treatment plan effectiveness matrix through intermediate variable matrix. The implementation process of the model includes risk assessment, risk treatment, quantitative measurement, security event management and report five modules. It introduces the implementation pseudo code and flow of application for ARCE model, gives an example of implementing this model in some organization. The superiorities of implementing this model are measuring risk treatment plan’s effectiveness accurately, using preventive measures to improve organizations’ security.

Key words: Assets Risk Value & Control Measures Effectiveness(ARCE) measurement model, quantitative index system, risk matrix, risk management, risk assessment, risk treatment plan

中图分类号: 

• TP399