With more and more regulations and importance of information security risk management is a growing topic. Especially in my areas of interest, project management and information security.
Interestingly, everyone seems to have an intuitive idea about what risk is. However, learning more about the topic yields more complexity that the topic has. Moreover, neither there is one universe definition of risk nor one way to access risks. Therefore, I’ve started to collect a list of methods and approaches for accessing risks. (it’s not a tool list).
In in article from Gaute Wangen, Springer, pdf, risk assessment frameworks are determined by the risk definition as follows:
- R = E, expected value (large numbers)
- R = P & C, probability and consequence (scenario based)
- R = C, consequence
- R = C & U, consequence and uncertainty
- R = ISO, uncertainty on objectives
- R = CI, conflicting incentives
| Method | Last Version | Provider | Description | Risk Definition |
|---|---|---|---|---|
| Bowtie | n/a | Bowtie is a graphical method implementing CCA (cause consequence analysis) to show risks as hazards with threats and impacts, quantified by the effectiveness of barriers. According to an article on gov.uk BowTie finds its roots in the chemical industry course notes for a lecture on hazard analysis given at the University of Queensland in 1979. It's been used in many UK critical industries and military. The name comes from the form of a bow-tie showing the threat event in the middle, the threat on the left and consequences on the right - for further information e.g. read here or very detailed here | Risk is described visually by a hazard (something that has the potential to cause damage), top event, threat and consequence, together with barriers (prevention and recovery controls). Risk quantification is done by assessing the effectiveness of controls (good - very poor) | |
| BRA | Draft 1.0, 2011 | Binary Risk Assessment | Binary Risk Assessment (BRA) is a very simple assessment method using 10 simple (binary) questions to determine likelihood and impact (low-med-high) | Risk is determined by three categories of likelihood and impact. |
| CCA | n/a | CCA (Cause-Consequence Analysis) - FTA and ETA Combination - see Differences in Analytical Methodology. A standardized implementation is the Bowtie method for analyzing hazards. | Puts undesirable event in the middle between fault tree analysis (cause-oriented ) and event tree analysis (consequences-oriented). | |
| CICRAM | 2009 | CICRAM(TM) | The CICRAM IT Risk Assessment is a 10 step method designed to simplify compliance for regulatory requirements (GLBA, HIPAA, FERPA, ...) or industry standards (PCI, ...) - see link. CICRAM tries to simplify risk assessments by focusing on customer and employee information rather than operational IT risks. Risks follow customer information. | IT Risk is likelihood of a threat acting on a vulnerability to harm an asset value which causes a negative impact. |
| CIRA | CIRA is a risk assessment method developed primarily by Rajbhandari and Snekkenes | R = CI | ||
| Cloud Risk Decision Framework | Microsoft | method designed for addressing this problem by risk assessing cloud environments. The method is derived from the ISO 31000 standard | ||
| COBIT | COBIT 2019 | ISACA | COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework for IT management and governance created by the international professional association ISACA. COBIT 2019 is an evolution of the previous version, COBIT 5, building on its solid foundation by adding the latest developments affecting enterprise information and technology. The framework plays nicely with other IT management frameworks such as ITIL, CMMI and TOGAF, which makes it a great option as an umbrella framework to unify processes across an entire organization. (CIO.com) An “open-source” model is being adapted from COBIT 2019. Module APO12 is about managing risks. Risk Laminate. COBIT 5 For Risk COBIT provides a comprehensive set of generic risk scenarios. | Enablers have a Risk Function (processes dealing with risk) and a Risk Management (mitigate risk) perspective. A Risk Scenario describes Events with uncertain impact (positive or negative) on enterprise's objectives influenced by Actor, Threat Type,Threat Event Frequency, Vulnerability, Loss Event. Risk Priority includes Benefit/Cost ratio. Risk Capacity – The cumulative loss an enterprise can tolerate without risking its continued existence. As such, it differs from risk appetite, which is more on how much risk is desirable |
| COBRA / SRM Toolkit | 2008 | COBRA (Consultative, Objective and Bi-functional Risk Analysis). still supported? Web page has no date / no impressum. Read Introduction to COBRA. COBRA is discontinued, SRM-Toolkit is still available. SRL Toolkit is available at risk.biz | probability of an event occurring and the likely loss should it occur. Basic terms: threats and vulnerabilities. | |
| CORAS | v1.4, 2014 | SINTEF | CORAS is an 8-step method to assess risks. It includes the use of the CORAS language. The CORAS language is a graphical UML language for communication, documentation and analysis of security threat and risk scenarios in security risk analyses. The CORAS threat diagram shows the activitites that lead to an unwanted event. It includes ideas from HazOp, FTA, FMEA. Some examples: pdf Further resources incl. CORAS tool: http://coras.sourceforge.net/ In depth introduction: CORAS Handbook 1.0 | R = P&C, Risk table: likelihood vs. consequence (using categories) |
| CRAMM | 2006 | British CCTA | CCTA Risk Analysis and Management Method (CRAMM) was created in 1987 by the Central Computer and Telecommunications Agency (CCTA), now renamed into Cabinet Office, of the United Kingdom government (Wikipedia). A 3-step method to identify risks and countermeasures, including documentation. It can prepare for ISO/IEC 27001/9001 certifications. ITIL also promotes CRAMM. There are three types:
| R = C, Risk is determined by the likelihood that a threat could exploit the Vulnerability of an IT asset (data, application/software, physical assets) in categories high, medium or low. |
| CRDF | R = ISO | |||
| CURF | Core Unified Risk Framework (CURF), guideline for InfoSec risk management (ISRM), InfoSec risk assessment (ISRA) practices vary. CURF overlaps with the concepts of the design science research (DSR) methodology. Abstract of Book | |||
| Cyber VAR | Cyber Value at Risk (Cyber VaR) | |||
| EBIOS | v2.0, 2004 | ANSSI | EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité), 5-step method for analysis, evaluation and action on risks relating to information systems. The method was created in 1995 and is now maintained by the ANSSI, a department of the French Prime Minister. EBIOS is primarily intended for governmental and commercial organizations working with the Defense Ministry. (Wikipedia) Compliant with ISO27001:2005, guides the ISMS implementation with examples. Refers to ISE/IEC 27002 for controls implementation. Only available in French. | Scanario based risk heat map using Vraisemblance and Gravité. Control types Prévention, Protection, Récupération |
| ETA | n/a | Wikipedia: Event tree analysis (ETA) is a forward, bottom up, logical modeling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system analysis. | Visualization of chained probabilities | |
| FAIR | 2015 | FAIR Institute | Factor Analysis of Information Risk (FAIR) is an extensive standardized method to quantify information security risk. | R = P&C, Risk is determined by Loss Event Frequency (LEF) and Loss Magnitude (LM): LEF = TEF (Threat Event Frequency) * Vulnerability LM = Primary Loss + Secondary Risk |
| FMEA | J1739_200901, 2009 | SAE | FMEA (Failure Modes and Effects Analysis) was developed by reliability engineers in the late 1950s to study problems that might arise from malfunctions of military systems. An FMEA is often the first step of a system reliability study. (Wikipedia) | RPN (Risk Priority Number) = S * P * D: Severity (of the event) * Probability (of the event occurring) * Detection (Probability that the event would not be detected before the user was aware of it) |
| FMECA | ARP926C, 2018 | SAE | FMECA (Failure Mode, Effects and Critically Analysis) is extension of FMEA to indicate that criticality analysis is performed too. | Adding Criticality to the FMEA formula. |
| FRAP | 2001 | Facilitated risk analysis process (FRAP), quick business risk analysis technique used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Introduction.pdf | Assesses Enterprises vulnerability to the risk and the business impact if the risk where to occur | |
| FTA | n/a | Wikipedia: Fault tree analysis FTA is a deductive, top-down method aimed at analyzing the effects of initiating faults and events on a complex system. It comes with graphical symbols for the boolean functions and events. This contrasts with failure mode and effects analysis (FMEA), which is an inductive, bottom-up analysis method aimed at analyzing the effects of single component or function failures on equipment or subsystems. | Visualization of chained probabilities, defined by failure rate and Boolean logic. | |
| HAZOP/PAAG | BS EN 61882:2016 | British Standards | (Wikipedia) A hazard and operability study (HAZOP) is a structured and systematic examination of a complex planned or existing process or operation in order to identify and evaluate problems that may represent risks to personnel or equipment. The intention of performing a HAZOP is to review the design to pick up design and engineering issues that may otherwise not have been found. The HAZOP technique was initially developed in the 1960s to analyze major chemical process systems but has since been extended to other areas. In German: PAAG-Verfahren (Prognose möglicher Abweichungen und Störungen, Auffinden der Ursachen, Abschätzen der Auswirkungen, Gegenmaßnahmen) | Key terms: Hazard (Potential source of harm), Harm (Physical injury or damage to the health of people or damage to property or the environment). Risk is combination of probability of occurrence of harm and the severity of that harm |
| IndistrySafe | IndistrySafe | IndistrySafe is a software for risk management that comes with a nice description of probability and impact categories: IndistrySafe | 5 probability categories, 4 severity categories make the risk matrix. | |
| IRAM2 | Information Security Forum | Information Risk Assessment Methodology link | ||
| ISAMM | http://www.telindus.com | ISAMM or Information Security Assessment and Monitoring Method tool follows the set of controls of best practices in Information Security from the ISO/IEC 27002. Source: Belgium. | ||
| ISO/IEC 31000 | ISO 31000:2018 | ISO | ISO 31000:2018, Risk management – Guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. (ISO,org) Related Standards:
| R = ISO |
| ISRAM | ||||
| MAGERIT-PILAR | EAR / PILAR is the software that implements and expands Magerit RA/RM Methodology. | |||
| MEHARI | Meharipedia.org | Wikipedia: MEHARI (MEthod for Harmonized Analysis of RIsk) is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals. MEHARI has steadily evolved since the mid-1990s to support standards such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005 and NIST's SP 800-30. Description: Mehari 2010 | Risk is determined by intrinsic likelihood, intrinsic impact (without measures in place), likelihood reducing factors, impact reducing factors and quality of existing security measures | |
| MIGRA | MIGRA methodology (Metodologia Integrata per la Gestione del Rischio Aziendale). Source: Italy | |||
| NIST SP800-30 | R = P&C | |||
| NSMROS | Norwegian National Security Authority Risk and Vulnerability Assessment (NSMROS) [16] approach was designed for aiding organizations in their effort to become compliant with the Norwegian Security Act. NSMROS is written in Norwegian and provides a basic description of the risk management process and associated activities. | R = P&C | ||
| OCTAVE | Software Engineering Institute | Octave: Operationally Critical Threat, Asset, and Vulnerability Evaluation pdf-link, eight-step process, focusses on information assets in relation to their containers. Result is a relative risk score. Also: Octave Allegro | R = C | |
| OSSTMM | ||||
| PMI PMBOK | ||||
| RAIS | R = P&C | |||
| RIPRAN | RIPRAN (RIsk PRoject ANalysis) | |||
| RISK IT | R = P&C | |||
| Risk Taxonomy (O-RT) | The Open Group | Taxonomy based on FAIR: Loss Event Frequency (LEF) and Loss Magnitude (LM), risk is only about loss. | ||
| RiskSafe | Platinum Squared Technologies | |||
| SOMAP | ||||
| TOGAF | ||||
| CMU SEI | Software Engineering Institute | Framework for planning and assessing risks. | Risk is the possibility of suffering loss |