Comparison of risk analysis methods: Mehari, magerit, NIST800-30 and microsoft's security management guide

Amril Syalim, Yoshiaki Hori, Kouichi Sakurai

研究成果: Chapter in Book/Report/Conference proceedingConference contribution

30 被引用数 (Scopus)

抄録

In this paper we compare four risk analysis methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide. Mehari is a method for risk analysis and risk management developed by CLUSIF (Club de la Sécurité de l'Information Français). Magerit is a risk analysis and management methodology for information systems developed by CSAE (Consejo Superior de Administración Electrónica). NIST800-30 is a risk management guide for information technology systems recommended by the National Institute of Standard and Technology (NIST) in NIST Special Publication 800-30. Microsoft's Security Management Guide is a security risk management guide developed by Microsoft. In this paper, we compare those methods based on two main criteria: the first criterion is the steps that are used by the methods to conduct the risk assessment, the second one is the contents of the methods and supplementary documents provided with them. We found that all methods follow the first three general steps of risk analysis. However, the Mehari method, the Magerit method and the Microsoft Security Management Guide do not include control recommendations. Control recommendations in these methods are proposed as the next step to security management (i.e. after risk analysis). All methods provide a detailed guide for risk analysis. However, only three methods - Mehari, Magerit and the one proposed in the Microsoft Security Management Guide-provide supplementary documents for risk assessment.

本文言語英語
ホスト出版物のタイトルProceedings - International Conference on Availability, Reliability and Security, ARES 2009
ページ726-731
ページ数6
DOI
出版ステータス出版済み - 10 12 2009
イベントInternational Conference on Availability, Reliability and Security, ARES 2009 - Fukuoka, Fukuoka Prefecture, 日本
継続期間: 3 16 20093 19 2009

出版物シリーズ

名前Proceedings - International Conference on Availability, Reliability and Security, ARES 2009

その他

その他International Conference on Availability, Reliability and Security, ARES 2009
Country日本
CityFukuoka, Fukuoka Prefecture
Period3/16/093/19/09

All Science Journal Classification (ASJC) codes

  • Software
  • Safety, Risk, Reliability and Quality

フィンガープリント 「Comparison of risk analysis methods: Mehari, magerit, NIST800-30 and microsoft's security management guide」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。

引用スタイル