Assessing Risk

Assessing Risk

With more and more regulations and importance of information security risk management is a growing topic. Especially in my areas of interest, project management and information security.

Interestingly, everyone seems to have an intuitive idea about what risk is. However, learning more about the topic yields more complexity that the topic has. Moreover, neither there is one universe definition of risk nor one way to access risks.

Some standards have even surprising definitions, e.g. FAIR (Factor Analysis of Information Risk) defines

  • Threat is anything that is capable of acting resulting in harm
  • Vulnerability is the probability that a threat event will become a loss event

Therefore, I’ve started to collect a list of tools and approaches for accessing risks:

MethodLast VersionProviderDescriptionRisk Definition
Bowtien/aBowtie is a graphical method implementing CCA (cause consequence analysis) to show risks as hazards with threats and impacts, quantified by the effectiveness of barriers. According to an article on BowTie finds its roots in the chemical industry course notes for a lecture on hazard analysis given at the University of Queensland in 1979. It's been used in many UK critical industries and military. The name comes from the form of a bow-tie showing the threat event in the middle, the threat on the left and consequences on the right - for further information e.g. read here or very detailed hereRisk is described visually by a hazard (something that has the potential to cause damage), top event, threat and consequence, together with barriers (prevention and recovery controls). Risk quantification is done by assessing the effectiveness of controls (good - very poor)
BRADraft 1.0, 2011Binary Risk AssessmentBinary Risk Assessment (BRA) is a very simple assessment method using 10 simple (binary) questions to determine likelihood and impact (low-med-high)Risk is determined by three categories of likelihood and impact.
CCAn/aCCA (Cause-Consequence Analysis) - FTA and ETA Combination - see Differences in Analytical Methodology. A standardized implementation is the Bowtie method for analyzing hazards.Puts undesirable event in the middle between fault tree analysis (cause-oriented ) and event tree analysis (consequences-oriented).
CICRAM2009CICRAM(TM)The CICRAM IT Risk Assessment is a 10 step method designed to simplify compliance for regulatory requirements (GLBA, HIPAA, FERPA, ...) or industry standards (PCI, ...) - see link. CICRAM tries to simplify risk assessments by focusing on customer and employee information rather than operational IT risks. Risks follow customer information.IT Risk is likelihood of a threat acting on a vulnerability to harm an asset value which causes a negative impact.
CIRACIRA is a risk assessment method developed primarily by Rajbhandari and Snekkenes R = CI
Cloud Risk Decision FrameworkMicrosoftmethod designed for addressing this problem by risk assessing cloud environments. The method is derived from the ISO 31000 standard
COBITCOBIT 2019ISACACOBIT (Control Objectives for Information and Related Technologies) is a good-practice framework for IT management and governance created by the international professional association ISACA.
COBIT 2019 is an evolution of the previous version, COBIT 5,
building on its solid foundation by adding the latest developments
affecting enterprise information and technology. The framework plays nicely with other IT management frameworks such as ITIL, CMMI and TOGAF, which makes it a great option as an umbrella framework to unify processes across an entire organization. (
An “open-source” model is being adapted from COBIT 2019.
Module APO12 is about managing risks.
Risk Laminate.
COBIT 5 For Risk
COBIT provides a comprehensive set of generic risk scenarios.
Enablers have a Risk Function (processes dealing with risk) and a Risk Management (mitigate risk) perspective.
A Risk Scenario describes Events with uncertain impact (positive or negative) on enterprise's objectives influenced by Actor, Threat Type,Threat Event Frequency, Vulnerability, Loss Event. Risk Priority includes Benefit/Cost ratio. Risk Capacity – The cumulative loss an enterprise can tolerate without risking its continued existence. As such, it differs from risk appetite, which is more on how much risk is desirable
COBRA / SRM Toolkit2008COBRA (Consultative, Objective and Bi-functional Risk Analysis).
still supported?
Web page has no date / no impressum.
Read Introduction to COBRA.
COBRA is discontinued, SRM-Toolkit is still available.
SRL Toolkit is available at
probability of an event occurring and the likely loss should it occur. Basic terms: threats and vulnerabilities.
CORASv1.4, 2014SINTEFCORAS is an 8-step method to assess risks. It includes the use of the CORAS language.
The CORAS language is a graphical UML language for communication, documentation and analysis of security threat and risk scenarios in security risk analyses. The CORAS threat diagram shows the activitites that lead to an unwanted event. It includes ideas from HazOp, FTA, FMEA.
Some examples: pdf
Further resources incl. CORAS tool:
In depth introduction: CORAS Handbook 1.0
R = P&C, Risk table: likelihood vs. consequence (using categories)
CRAMM2006British CCTACCTA Risk Analysis and Management Method (CRAMM) was created in 1987 by the Central Computer and Telecommunications Agency (CCTA), now renamed into Cabinet Office, of the United Kingdom government (Wikipedia). A 3-step method to identify risks and countermeasures, including documentation. It can prepare for ISO/IEC 27001/9001 certifications. ITIL also promotes CRAMM. There are three types:
  • CRAMM Expert Analysis
  • CRAMM Express Analysis
  • Analysis BS7799 (ISO 27001)
Simple introduction: DITY
R = C, Risk is determined by the likelihood that a threat could exploit the Vulnerability of an IT asset (data, application/software, physical assets) in categories high, medium or low.
CURFCore Unified Risk Framework (CURF), guideline for InfoSec risk management (ISRM), InfoSec risk assessment (ISRA) practices vary. CURF overlaps with the concepts of the design science research (DSR) methodology.
Abstract of Book
Cyber VARCyber Value at Risk (Cyber VaR)
EBIOSv2.0, 2004ANSSIEBIOS (Expression des Besoins et Identification des Objectifs de Sécurité), 5-step method for analysis, evaluation and action on risks relating to information systems. The method was created in 1995 and is now maintained by the ANSSI, a department of the French Prime Minister. EBIOS is primarily intended for governmental and commercial organizations working with the Defense Ministry. (Wikipedia)
Compliant with ISO27001:2005, guides the ISMS implementation with examples. Refers to ISE/IEC 27002 for controls implementation. Only available in French.
Scanario based risk heat map using Vraisemblance and Gravité.
Control types Prévention, Protection, Récupération
Event tree analysis (ETA) is a forward, bottom up, logical modeling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system analysis.
Visualization of chained probabilities
FAIR2015FAIR InstituteFactor Analysis of Information Risk (FAIR) is an extensive standardized method to quantify information security risk.R = P&C, Risk is determined by Loss Event Frequency (LEF) and Loss Magnitude (LM):
LEF = TEF (Threat Event Frequency) * Vulnerability
LM = Primary Loss + Secondary Risk
FMEAJ1739_200901, 2009SAEFMEA (Failure Modes and Effects Analysis) was developed by reliability engineers in the late 1950s to study problems that might arise from malfunctions of military systems. An FMEA is often the first step of a system reliability study.
RPN (Risk Priority Number) = S * P * D: Severity (of the event) * Probability (of the event occurring) * Detection (Probability that the event would not be detected before the user was aware of it)
FMECAARP926C, 2018SAEFMECA (Failure Mode, Effects and Critically Analysis) is extension of FMEA to indicate that criticality analysis is performed too.Adding Criticality to the FMEA formula.
FRAP2001Facilitated risk analysis process (FRAP), quick business risk analysis technique used to identify and assess factors that may jeopardize the success of a project or achieving a goal.
Assesses Enterprises vulnerability to the risk and the business impact if the risk where to occur
Fault tree analysis FTA is a deductive, top-down method aimed at analyzing the effects of initiating faults and events on a complex system. It comes with graphical symbols for the boolean functions and events. This contrasts with failure mode and effects analysis (FMEA), which is an inductive, bottom-up analysis method aimed at analyzing the effects of single component or function failures on equipment or subsystems.
Visualization of chained probabilities, defined by failure rate and Boolean logic.
HAZOP/PAAGBS EN 61882:2016British Standards(Wikipedia) A hazard and operability study (HAZOP) is a structured and systematic examination of a complex planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment. The intention of performing a HAZOP is to review the design to pick up design and engineering issues that may otherwise not have been found. The HAZOP technique was initially developed in the 1960s to analyze major chemical process systems but has since been extended to other areas.
In German: PAAG-Verfahren (Prognose möglicher Abweichungen und Störungen, Auffinden der Ursachen, Abschätzen der Auswirkungen, Gegenmaßnahmen)
Key terms: Hazard (Potential source of harm), Harm (Physical injury or damage to the health of people or damage to property
or the environment).
Risk is combination of probability of occurrence of harm and the severity of that harm
IndistrySafeIndistrySafeIndistrySafe is a software for risk management that comes with a nice description of probability and impact categories: IndistrySafe5 probability categories, 4 severity categories make the risk matrix.
IRAM2Information Security ForumInformation Risk Assessment Methodology link
ISAMMhttp://www.telindus.comISAMM or Information Security Assessment and Monitoring Method tool follows the set of controls of best practices in Information Security from the ISO/IEC 27002. Source: Belgium.
ISO/IEC 31000ISO 31000:2018ISOISO 31000:2018, Risk management – Guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. (ISO,org)
Related Standards:
  • ISO Guide 73:2009, Risk management - Vocabulary
  • IEC 31010:2009, Risk management – Risk assessment techniques
MAGERIT-PILAREAR / PILAR is the software that implements and expands Magerit RA/RM Methodology.
MEHARIMeharipedia.orgWikipedia: MEHARI (MEthod for Harmonized Analysis of RIsk) is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals. MEHARI has steadily evolved since the mid-1990s to support standards such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005 and NIST's SP 800-30.
Description: Mehari 2010
Risk is determined by intrinsic likelihood, intrinsic impact (without measures in place), likelihood reducing factors, impact reducing factors and quality of existing security measures
MIGRAMIGRA methodology (Metodologia Integrata per la Gestione del Rischio Aziendale). Source: Italy
NIST SP800-30R = P&C
NSMROSNorwegian National Security Authority Risk and Vulnerability Assessment (NSMROS) [16] approach was designed for aiding organizations in their effort to become compliant with the Norwegian Security Act. NSMROS is written in Norwegian and provides a basic description of the risk management process and associated activities.R = P&C
OCTAVESoftware Engineering InstituteOctave: Operationally Critical Threat, Asset, and Vulnerability Evaluation pdf-link, eight-step process, focusses on information assets in relation to their containers. Result is a relative risk score.

Also: Octave Allegro
R = C
RIPRANRIPRAN (RIsk PRoject ANalysis)
Risk Taxonomy (O-RT)The Open GroupTaxonomy based on FAIR: Loss Event Frequency (LEF) and Loss Magnitude (LM), risk is only about loss.
RiskSafePlatinum Squared Technologies
CMU SEISoftware Engineering InstituteFramework for planning and assessing risks.Risk is the possibility of suffering loss

Other Overview resources

Leave a Reply

Your email address will not be published. Required fields are marked *