Y Y N N Y Y N N Y Y N N Y Y N N Y Y N N Security-critical? Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N
AS/NZS 4346 X* X* X* X* X* X* X* X* X* X* X* X* CORAS X X X X Cramm X Ebios X X X X X X X X X X X X X FAIR X X X FRAP X X ISO/IEC 27002:2005 X* X* X* X* X* X* X* X* X* X* X* X* ISO/IEC 27005:2011 X* X* X* X* X* X* X* X* X* X* X* X* IT-Grundschutz X X X X X X X X Magerit X X X X X X X X X X X X X Mehari X X X Octave X X X X X Risk IT X* X* X* X* X* X* X* X* X* X* X* X* Structured Risk Analysis X X TARA X X
Table 7.1: Decision table for selecting the most suitable RA method(s)
0000000 Current Established Risk Assessment Methodologies and Tools
0000000 Current Established Risk Assessment Methodologies and Tools Page 108
C HAPTER 8
ONCLUSIONS AND RECOMMENDATIONS
With the rise of the need to properly secure Information Systems has come a rise in the number and diversity of methodologies and tools to help achieve this. From national regulations to international standards and from third-party tools to Risk Management frameworks, this multitude of resources can be confusing for a company seeking to improve their information security. However, the applicability and benefits offered by each can be traced back to their original context and purpose.
In this document, a total of 14 Methodologies, 25 Tools and 7 Conceptual Models have been an- alyzed, described and reviewed in order to provide at least basic information regarding each of the vast amount of instruments available for conducting and supporting Risk Assessments. Furthermore, comparisons and cross-comparisons have been conducted and guidelines have been designed in or- der to facilitate the selection process an organization might have to go through when it decides that a Risk Assessment is required or might bring added value and security to their business. Finally, a series of conclusions can be drawn based on this work. These conclusions are grouped in the following sub-sections.
8.1 Risk Assessment
Some methodologies are designed for security-critical systems, while others are created with certifica- tion in mind. Some tools are expensive and can only be used by experts while others are free and easy to use. Some frameworks are overly complex and only suitable for large project and organizations while others can be implemented by a few skilled employees. Such criteria can be used to not only clas- sify and understand the scope, applicability and benefits offered by each methodology, framework and tool, but also as indicators for choosing the most appropriate resource for any business environment and protection requirements. As such, guidelines, similar to the ones introduced in Section
7.1 , can be designed and used to shed some light on the plethora of Risk Assessment and Risk Management frameworks, methods and tools.