Comparison of risk analysis methods: Mehari, magerit, NIST800-30 and microsoft's security management guide

Amril Syalim, Yoshiaki Hori, Kouichi Sakurai

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

39 Citations (Scopus)

Abstract

In this paper we compare four risk analysis methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide. Mehari is a method for risk analysis and risk management developed by CLUSIF (Club de la Sécurité de l'Information Français). Magerit is a risk analysis and management methodology for information systems developed by CSAE (Consejo Superior de Administración Electrónica). NIST800-30 is a risk management guide for information technology systems recommended by the National Institute of Standard and Technology (NIST) in NIST Special Publication 800-30. Microsoft's Security Management Guide is a security risk management guide developed by Microsoft. In this paper, we compare those methods based on two main criteria: the first criterion is the steps that are used by the methods to conduct the risk assessment, the second one is the contents of the methods and supplementary documents provided with them. We found that all methods follow the first three general steps of risk analysis. However, the Mehari method, the Magerit method and the Microsoft Security Management Guide do not include control recommendations. Control recommendations in these methods are proposed as the next step to security management (i.e. after risk analysis). All methods provide a detailed guide for risk analysis. However, only three methods - Mehari, Magerit and the one proposed in the Microsoft Security Management Guide-provide supplementary documents for risk assessment.

Original languageEnglish
Title of host publicationProceedings - International Conference on Availability, Reliability and Security, ARES 2009
Pages726-731
Number of pages6
DOIs
Publication statusPublished - 2009
EventInternational Conference on Availability, Reliability and Security, ARES 2009 - Fukuoka, Fukuoka Prefecture, Japan
Duration: 16 Mar 200919 Mar 2009

Publication series

NameProceedings - International Conference on Availability, Reliability and Security, ARES 2009

Conference

ConferenceInternational Conference on Availability, Reliability and Security, ARES 2009
Country/TerritoryJapan
CityFukuoka, Fukuoka Prefecture
Period16/03/0919/03/09

Fingerprint

Dive into the research topics of 'Comparison of risk analysis methods: Mehari, magerit, NIST800-30 and microsoft's security management guide'. Together they form a unique fingerprint.

Cite this