A Comparison done by me of 3 different risk analysis methodologies: CRAMM, NIST and Octave.
Una comparativa desarrollada por mi de 3 metodologías diferentes de análisis de riesgo: CRAMM, NIST y Octave.
DevEX - reference for building teams, processes, and platforms
Comparative of risk analysis methodologies
1.
2. Highlights CRAMM NIST SP 800-30 Octave
Methodology
Manager
Cramm belongs to Siemens National Institute of Standards and Technology (NIST)
Software Engineering Institute (SEI)
and
Carnegie Mellon University (CMU)
Country of
origin
UK United States United States
WebSite http://www.cramm.com/ http://www.nist.gov/ http://www.cert.org/octave/
Versions Last version: CRAMM NATO V5.6 800-30 Rev.1 (2002) OCTAVESM Method Version 2.0
Tool to apply
the
methodology
A large number of tools for analysis and
management using this methodology (e.i.
CRAMM Express)
The standard does not specify a particular tool for analysis
The standard does not specify a particular tool for analysis.
The methodology says "Vulnerability Evaluation Tools".
Main
concepts
Assets, threats, vulnerabilities, risks,
safeguards (countermeasures)
Threats, vulnerabilities, risks, controls Assets, threats, vulnerabilities, risks
Main steps
1- Assets Identification and valuation (physical
assets are identified, software, and data assets
into information systems)
2- Threats and vulnerabilities measurement
(determine the likelihood of these problems
occur)
3- Selection and recommendation of
countermeasures (CRAMM contains a library of
more than 3,000 countermeasures organized in
70 groups)
1- Initiation (risk identification is used to support the development of
system requirements)
2- Development or acquisition (The IT system is designed,
expressed and proposed or constructed)
3- Implementation (assets system security are configured, enabled,
tested and verified)
4- Operation and maintenance (maintenance activities for risk
reduction are performed)
5- Arrangement (the risk management activities are carried out in
the system components)
1 - Construction of vulnerabilities based on assets
(organizational view)
2 - Identification of vulnerabilities of the infrastructure
(technological vision)
3 - Development of security strategy and plans for
mitigation of vulnerabilities (strategy and development
plan)
Main
Features
* > 400 types of assets
* 38 types of threats
* > 25 types of impacts
* 7 risk measures
* > 3500 controls
* Attaches great importance to the controls
* Speaking of key profiles within the organization regarding the
responsibility of risk management
* Has 'Self-Direction'. A small team of staff from the same
organization is involved in the process of implementing the
methodology (IT staff and other departments)
* Creation of a small interdisciplinary team of information
analysis
* Based Approach workshop where people of different
levels of the organization work to identify vulnerabilities
Based on assets
* Information Catalogs: Catalogs of practical, active profile,
list of vulnerabilities
* Talk about a balance between three aspects: Technology,
Operational Risk and Safety Practices
Scope
where the
methodology
is used
* Risk Analysis
* Risk Management
* Master Security Plan
* Risk Analysis
* Risk Management
* Master Security Plan
* Risk Analysis
* Risk Management
* Master Security Plan
Who holds
the
methodology
* Small interdisciplinary group of internal staff * Small interdisciplinary group of internal staff * Small interdisciplinary group of internal staff
Keyfeatures
3. Cost
In 2001 version 4 costs:
* For a commercial company: £ 2,800 + £ 850
per year/maintenance
* For agencies and departments of the British
state: £ 1,600 + £ 850 per year/maintenance
* Costs associated with the benefit, giving a condition on the cost of
a security master plan, provided that the cost is less than the cost
of risk analyzed and solved, the cost will be low
* Internal Use: Free
* External use: You must purchase the license to SEI if you
implement the methodology to a third party
Highlights CRAMM NIST SP 800-30 Octave
Test result
(outputs)
* Table of risk assessment on assets (scale of
1-10)
* Recommended controls list
* Documentation results
Phase 1: Assets Critivos, critical requirements for critical
assets, vulnerabilities of critical assets, list of current safety
practices, list of current organizational vulnerabilities
Phase 2: Key Components, current technological
vulnerabilities
Phase 3: Risk of critical assets, risk metrics, protection
strategy, risk mitigation plans
Scope
International (CRAMM v.5.1 was used in 23
countries)
International International
Right of use n/a n/a * Internal use: limit
Tool to apply
the
methodology
A lot of tools implementing the methodology n/a n/a
Certification
Certification helps for BS 7799 and ISO/IEC
27001de BS 7799
Certification helps for ISO/IEC 27001 Certification helps for ISO/IEC 27001
Scope n/a n/a n/a
Right of use
* You have to pay the license fee (beyond the
cost of implementation and maintenance
analysis)
* You have to pay the license fee (beyond the cost of
implementation and maintenance analysis)
* External use: Limited to license fee for use
DisadvanAdvantages
4. Asset
Assessme
nt
Threa
t
Vulnerabil
ity
Probability Impact Risk
CRAMM
Asset
X
[1-5]
Threa
t Y
Vulnerabili
ty W
Probability
Z [1-5]
[1-5] Scale [3 to 15]
NIST SP
800-30
Asset
X
High-
Medium-
Low
Threa
t Y
Vulnerabili
ty W
Probability
Z (High-
Medium-
Low)
High-
Medium-Low
High-Medium-
Low
Octave
Asset
X
Find the
highest risk
is a
decision
tree
Threa
t Y
Vulnerabili
ty W
Probability
Z
Find the highest
risk in a decision
tree
The aim in the risk management is to reduce the probability and / or impact
The threat can not be reduced, which is trying to eliminate this vulnerability so that the
probability of occurrence of the threat
but it is slow or that the impact in case of occurrence is less
A good practice is used to implement the first large companies to filter NIST high risks,