11

I'm looking for a fully open quantitative risk assessment methodology.

Most of the methodologies have usage or licensing restrictions placed upon them.

I define open as methodology covered by something equivalent to the Creative Commons CC BY or CC BY-SA licenses.

I've looked ar FAIR, OCTAVE, CRAMM and a few others all of which have restrictive licenses.

Ben
  • 605
  • 4
  • 11

2 Answers2

4

My first recommendation for what you're looking for would be SOMAP. Their website claims open source, but I'm not sure it meets your needs entirely.

This question is similar to this other question, but I'll let you decide if anything is of value there.

In the government domain, the National Standards Institute of Technology (NIST) has special publication 800-37, which was originally taken from the FITSAF standard on risk assessments, so it's worth mention.

The book, "Information Security Management Handbook, Sixth Edition", explains that security risk assessments are usually based on a value chain model. Another book, How to Complete a Risk Assessment in 5 Days Or Less, covers the author's FRAAP process. There are a few books coming out very soon that look to answer your question best. One is from Syngress Press and by author Evan Wheeler. Another, by Douglas Landoll, is in its second edition. A recent book from Andrew A. Vladimirov came out, but I have not yet read it.

Community
  • 1
atdre
  • 18,885
  • 6
  • 58
  • 107
  • thanks, SOMAP's a possibility although a little hand-wavey and unfinished. The other thread covers FAIR, GAIT and FISAP - both have restrictive licensing. SP800-37 is more of a guide to applying risk management, not a quantitative technique itself. I think anything in a book is going to be covered by some licensing restriction. – Ben May 15 '11 at 13:53
0

The OSSTMM might be a candidate, although not sure about licencing: see here for details

kindofwhat
  • 299
  • 1
  • 2
  • good suggestion, the OML 3 reads almost like a BSD license. However, the OSSTMM is less about risk assessment and more about testing. Still some usable bits. – Ben May 15 '11 at 16:40
  • @Bob good to know, please do not underestimate the OSSTMM as "only" beeing a testing methology (yeah, despite the name). The link between classical risk assessment and the OSSTMM is described [here](http://www.isecom.org/research/ravs.shtml) – kindofwhat May 15 '11 at 17:45
  • (who's Bob?) The Ravs do look interesting – Ben May 16 '11 at 03:26
  • @Ben meant you of course ;). – kindofwhat May 16 '11 at 09:30