TY - GEN
T1 - Comparison of risk analysis methods
T2 - International Conference on Availability, Reliability and Security, ARES 2009
AU - Syalim, Amril
AU - Hori, Yoshiaki
AU - Sakurai, Kouichi
PY - 2009/10/12
Y1 - 2009/10/12
N2 - In this paper we compare four risk analysis methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide. Mehari is a method for risk analysis and risk management developed by CLUSIF (Club de la Sécurité de l'Information Français). Magerit is a risk analysis and management methodology for information systems developed by CSAE (Consejo Superior de Administración Electrónica). NIST800-30 is a risk management guide for information technology systems recommended by the National Institute of Standard and Technology (NIST) in NIST Special Publication 800-30. Microsoft's Security Management Guide is a security risk management guide developed by Microsoft. In this paper, we compare those methods based on two main criteria: the first criterion is the steps that are used by the methods to conduct the risk assessment, the second one is the contents of the methods and supplementary documents provided with them. We found that all methods follow the first three general steps of risk analysis. However, the Mehari method, the Magerit method and the Microsoft Security Management Guide do not include control recommendations. Control recommendations in these methods are proposed as the next step to security management (i.e. after risk analysis). All methods provide a detailed guide for risk analysis. However, only three methods - Mehari, Magerit and the one proposed in the Microsoft Security Management Guide-provide supplementary documents for risk assessment.
AB - In this paper we compare four risk analysis methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide. Mehari is a method for risk analysis and risk management developed by CLUSIF (Club de la Sécurité de l'Information Français). Magerit is a risk analysis and management methodology for information systems developed by CSAE (Consejo Superior de Administración Electrónica). NIST800-30 is a risk management guide for information technology systems recommended by the National Institute of Standard and Technology (NIST) in NIST Special Publication 800-30. Microsoft's Security Management Guide is a security risk management guide developed by Microsoft. In this paper, we compare those methods based on two main criteria: the first criterion is the steps that are used by the methods to conduct the risk assessment, the second one is the contents of the methods and supplementary documents provided with them. We found that all methods follow the first three general steps of risk analysis. However, the Mehari method, the Magerit method and the Microsoft Security Management Guide do not include control recommendations. Control recommendations in these methods are proposed as the next step to security management (i.e. after risk analysis). All methods provide a detailed guide for risk analysis. However, only three methods - Mehari, Magerit and the one proposed in the Microsoft Security Management Guide-provide supplementary documents for risk assessment.
UR - http://www.scopus.com/inward/record.url?scp=70349653935&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70349653935&partnerID=8YFLogxK
U2 - 10.1109/ARES.2009.75
DO - 10.1109/ARES.2009.75
M3 - Conference contribution
AN - SCOPUS:70349653935
SN - 9780769535647
T3 - Proceedings - International Conference on Availability, Reliability and Security, ARES 2009
SP - 726
EP - 731
BT - Proceedings - International Conference on Availability, Reliability and Security, ARES 2009
Y2 - 16 March 2009 through 19 March 2009
ER -