Comparison of risk analysis methods: Mehari, magerit, NIST800-30 and microsoft's security management guide

Amril Syalim, Yoshiaki Hori, Kouichi Sakurai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

25 Citations (Scopus)

Abstract

In this paper we compare four risk analysis methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide. Mehari is a method for risk analysis and risk management developed by CLUSIF (Club de la Sécurité de l'Information Français). Magerit is a risk analysis and management methodology for information systems developed by CSAE (Consejo Superior de Administración Electrónica). NIST800-30 is a risk management guide for information technology systems recommended by the National Institute of Standard and Technology (NIST) in NIST Special Publication 800-30. Microsoft's Security Management Guide is a security risk management guide developed by Microsoft. In this paper, we compare those methods based on two main criteria: the first criterion is the steps that are used by the methods to conduct the risk assessment, the second one is the contents of the methods and supplementary documents provided with them. We found that all methods follow the first three general steps of risk analysis. However, the Mehari method, the Magerit method and the Microsoft Security Management Guide do not include control recommendations. Control recommendations in these methods are proposed as the next step to security management (i.e. after risk analysis). All methods provide a detailed guide for risk analysis. However, only three methods - Mehari, Magerit and the one proposed in the Microsoft Security Management Guide-provide supplementary documents for risk assessment.

Original languageEnglish
Title of host publicationProceedings - International Conference on Availability, Reliability and Security, ARES 2009
Pages726-731
Number of pages6
DOIs
Publication statusPublished - Oct 12 2009
EventInternational Conference on Availability, Reliability and Security, ARES 2009 - Fukuoka, Fukuoka Prefecture, Japan
Duration: Mar 16 2009Mar 19 2009

Publication series

NameProceedings - International Conference on Availability, Reliability and Security, ARES 2009

Other

OtherInternational Conference on Availability, Reliability and Security, ARES 2009
CountryJapan
CityFukuoka, Fukuoka Prefecture
Period3/16/093/19/09

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality

Cite this

Syalim, A., Hori, Y., & Sakurai, K. (2009). Comparison of risk analysis methods: Mehari, magerit, NIST800-30 and microsoft's security management guide. In Proceedings - International Conference on Availability, Reliability and Security, ARES 2009 (pp. 726-731). [5066554] (Proceedings - International Conference on Availability, Reliability and Security, ARES 2009). https://doi.org/10.1109/ARES.2009.75