I've heard of FAIR, and that seems pretty great.
What other methodologies are there? How do they work?
What are their benefits, and their drawbacks compared to others?
When is each appropriate?
From another Area51 proposal.
I've heard of FAIR, and that seems pretty great.
What other methodologies are there? How do they work?
What are their benefits, and their drawbacks compared to others?
When is each appropriate?
From another Area51 proposal.
I suggest reading Krag Brotby's Information Security Management Metrics book for coverage of most of the relevant risk analysis frameworks that are usually tailored to a specific kind of risk (e.g. financial analysis for information security management programs or risk management programs could use ROSI, ALE/SLE, VAR, cost-effectiveness, etc).
I also suggest looking at FISAP and IIA GAIT
The fundamental deference between the two methodologies is that GAIT is qualitative while FAIR is quantitative. Bottom line, GAIT is another one of those methods such as SAS70, SOX, Cobit and the rest that will end up to be a checklist exercise that will tell you nothing about your security or what the monetary value of your IT risk is.
+1 for GAIT. Definitely recommend a good look at it!