Comparison of Risk Analysis Methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide

Abstract

In this paper we compare four risk analysis methods: Mehari, Magerit, NIST800-30 and Microsoft's Security Management Guide. Mehari is a method for risk analysis and risk management developed by CLUSIF (Club de la Securite del' Information Francais). Magerit is a risk analysis and management methodology for information systems developed by CSAE (Consejo Superior de Administracion Electronica). NIST800-30 is a risk management guide for information technology systems recommended by the National Institute of Standard and Technology (NIST) in NIST Special Publication 800-30. Microsoft’s Security Management Guide is a security risk management guide developed by Microsoft. In this paper, we compare those methods based on two main criteria: the first criterion is the steps that are used by the methods to conduct the risk assessment, the second one is the contents of the methods and supplementary documents provided with them. We found that all methods follow the first three general steps of risk analysis. However, the Mehari method, the Magerit method and the Microsoft Security Management Guide do not include control recommendations. Control recommendations in these methods are proposed as the next step to security management (i.e. after risk analysis). All methods provide a detailed guide for risk analysis. However, only three methods — Mehari, Magerit and the one proposed in the Microsoft Security Management Guide—provide supplementary documents for risk assessment.