The attributes of risk in healthcare

The attributes of risk

Risk in informations systems is generally perceived in relation to attributes. proposes the attributes of confidentiality, integrity and availability, aswell other attributes such as authenticity, accountability, non-repudiation and reliability may also be involved [ISO 17799]. [Zhou, 1999] proposes confidentiality, integrity, availability, non repudiation and authentification. We present here some definitions.


Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.1 Confidentiality exists when information is communicated in the context of a special relationship (such as doctor-patient, lawyer-client, etc.) where the information is intended to be held in confidence or kept secret [CIHR, 2002]. It is an ethical concept that regulates communication of information between individuals [Roger, 1998]. The status of confidential is accorded to data or information indicating that it is sensitive for some reason, and therefore it needs to be protected against theft, disclosure, or improper use, or both, and must be disseminated only to authorized individuals or organizations with a need to know.’2Individuals have a right to the privacy and confidentiality of their health information [Buckovich, 1999].

Confidentiality is at the heart of medical practice and is essential for maintaining trust and integrity in the patient-physician relationship. Knowing that their privacy will be respected gives patients the freedom to share sensitive personal information with their physician [WMA, 2002]. The Declaration of Geneva, that requires physicians to « preserve absolute confidentiality on all he knows about his patient even after the patient has died » [WMA, 2002].

Confidentiality is a managerial responsibility: it concerns the problems of how to manage data by rules that are satisfactory to both the managers of data banks and the persons about whom the data pertain [Thompson, 2001]. The enforcement of classification-clearance matching is mandated by directives and regulations: an individual may not exercise his own judgement to violate it [Bell, 1976]. In the same way, as health professionals do not belong to the same structures, which are independent to each other, confidentiality of the activity of each structure must be ensured as well [Kerkeri, 2001]. In [Pace, 2003], confidentiality is maintained by de-identifying reports and eliminating elements within the database that would facilitate linking a report to a specific event identified by other means, such as through the patient’s medical record.


Integrity is the property of safeguarding the accuracy and completeness of assets [ISO 13335-1]. Integrity is a property determined by approuved modification of information [Bell, 1976].

Individuals have the right to the integrity of their health information. Entities and/or persons that create, maintain, use, transmit, collect, or disseminate individual health information shall be responsible for ensuring this integrity [Buckovich, 1999].

Continuity of care might imply a complete communication of medical data, respecting its integrity and its availability [Roger, 1998]. For example, in a picture archiving and communication system (PACS), the data integrity is essential for passing the correct information to the doctor [Tsong, 2003].

Outside of signing checksums on large fields (such as medical images), integrity can only be partially guaranteed by authenticating the individual at the source site responsible for transferring the information, and trusting the individual to verify the data [Cody, 2003].

Data integrity includes minimization of data redundancy, improvement of data maintenance, and elimination of multiple versions of data [Candler, 1999].

In addition to malicious threats, the threats that come from software, hardware, or network failure, or the threats that come from simple human error can affect the integrity of an information system [Cody, 2003].


Availability is the property of being accessible and usasable upon demand by an authorized entity (ISO 7498-2:1989).

The availability of intelligently integrated and verified, operational information could have a profound effect on decisionmaking in a wide range of contexts [Brender, 1999]. Health research, particularly in the areas of health services and policy, population and public health, critically depends on the ready availability of existing data about people [CIHR, 2002].

Non repudiation

Non-repudiation refers to the ability to prove an action or event has taken place, so that this event or action cannot be repudiated later.3

[ISO13888-1] identifies the following non repudiation services:

  • Non repudiation of creation: to protect against an entity’s false denial of having created the content of a message.

  • Non repudiation of delivery: to protect against a recipient’s false denial of having received the message and recognised the content of a message.

  • Non repudiation of knowledge: to protect against a recipient’s false denial of having taken notice of the content of a received message.

  • Non repudiation of origin: to protect against the originator’s false denial of having approved the content of a message and of having sent a message.

  • Non repudiation of receipt: to protect against a recipient’s false denial of having received a messagenon-repudiation of sending: This service is intended to protect against the sender’s false denial of having sent a message.

  • Non repudiation of submission: to provide evidence that a delivery authority has accepted the message for transmission.

  • Non repudiation of transport: to provide evidence for the message originator that a delivery authority has delivered the message to the intended recipient.

Non-repudiation technologies, such as digital signatures, are used to insure that a person performing an action cannot subsequently deny performing that action. This is useful for digital contracts, statements and anywhere else that a signature would be used in the physical world. Digital signatures are commonly used for non-repudiation, and are normally based on PKI, which uses asymmetric cyphers [Helvey, 2004].

Digital signature safeguards can provide protection to enable non-repudiation [ISO 13335-2].

Cryptographic techniques (e.g. based on the use of digital signatures) can be used to prove or otherwise the sending, transmission, submission, delivery, receipt notification, etc. of messages, communications and transactions [ISO 13335-2].

Access controls

Access control technologies are used to protect information by restricting access to information or operations, according to the identity of the accessor. Common mechanisms for access control are discretionary (DAC), mandatory (MAC), and role-based (RBAC). DAC is based on the identity or group membership of the user, and allows the user to specify which other users may access the information. MAC is common in secure operating systems, and uses labels and access control lists to protect information. RBAC allows access control policies to be defined according to the user’s role in an organization, such as administrator, supervisor, researcher, and so on [Helvey, 2004].

Health care organisations have knowingly compromised information security through less than satisfactory access controls simply in order to encourage all staff to use the computer systems. Once such compromise has been adopted, it is subsequently very difficult to convince users of the need to strengthen access control..Once appropriate access control and auditing is installed, staff scepticism soon turns to acceptance as they come to realise their importance and benefit [Gaunt, 2000].

In a HIPAA mandated PACS environment, from an application point of view, there should be a log mechanism to keep track the access information such as [CAO, 2003]:

  • Identification of the person that accessed this data

  • Date and time when data has been accessed

  • Type of access (create, read, modify, delete)

  • Status of access (success or failure)

  • Identification of the data.

The model for authorisation and access control in distributed health information systems has to deal with policy description and negotiation including policy agreements, authentication, certification, and directory services but also audit trails, altogether forming the privilege management infrastructure [Blobel, 2004].

Technology can help ensure the granting and restriction of access to those users with legitimate needs, by means of passwords, access codes, and other identifying mechanisms [Buckovich, 1999].

Privacy vs security

The right to privacy entitles people to exercise control over the use and disclosure of information about them as individuals. The privacy of a patient’s personal health information is secured by the physician’s duty of confidentiality [WMA, 2002].

Privacy is a social, cultural and legal concept, all three aspects of which vary from country to country [Thompson, 2001]. While security of personal data may be instrumental for this purpose, ‘data security is a very different thing from privacy’.4

Privacy: ‘‘The right of individuals to be left alone and to be protected against physical or psychological invasion or the misuse of their property. It includes freedom from intrusion or observation into one’s private affairs, the right to maintain control over certain personal information, and the freedom to act without outside interference.’’5

Information privacy can be thought of as a set of controls placed upon organizations over the uses of personal information in their custody and control, and the rights conferred upon individuals over their personal information. What becomes clear in mapping out these security and privacy elements is that some of the components of privacy protection can be addressed by security safeguards, while others cannot. Some security functions may actually hinder or even threaten necessary privacy protection. Some privacy measures may weaken or threaten justified security measures.Hence the security–privacy paradox [Cavoukian, 2003].

The Declaration of Helsinki states: « It is the duty of the physician in medical research to protect the life, health, privacy, and dignity of the human subject » [WMA, 2002].

A recurring idea is that a research database of patient data can and should be ‘‘scrubbed’’ of personal identifying information, and thereafter the ‘‘clean’’ database can be made available for research on a less restricted basis.

[Behlen, 1999] argues that such complete scrubbing is not feasible, and even if it were feasible, it would not be appropriate ethically. A troublesome requirement for exemption is that of ‘‘throwing away the key’’ that links data to a patient. This requirement presents some practical, scientific, and ethical problems:

  • It forecloses the possibility of benefit to the patient.;

  • The requirement greatly complicates the maintenance of a current database;

  • The requirement eliminates some checks against scientific fraud.

Quality of data is crucial to privacy protection. Security is necessary, but far from sufficient, to ensure privacy. Computer scientists and others often take ‘privacy’ to mean (only) ‘data security’ against risks of unauthorized access, physical damage to databases or transmissions, and the like. However, it is no comfort to a privacy-aware individual to be told that inaccurate, outdated, excessive and irrelevant data about her are encrypted and stored behind hacker-proof firewalls until put to use by (say) a credit-granting organization in making decisions about her [Raab, 2004]. Following intense scrutiny in some research projects, it may be necessary to conduct an independent reanalysis of the data and results to confirm the quality of the original data [Shortreed, 2003].

Privacy of information collected during health care processes is necessary because of significant economic, psychologic, and social harm that can come to individuals when personal health information is disclosed [Barrows, 1996].

Privacy and confidentiality of the patient record has attracted extensive debate and analysis, including discussion of research. Although policy issues regarding research access to public health databases have been analyzed in detail, less attention has been paid to the problem of how to oversee and administer, within the framework of applicable public policy, multicenter research using privately held patient records. In addition to public policy, the policies of each participating institution must be considered [Behlen, 1999].

The relationship between health care provider and patient is one characterized by intimacy and trust, and confidentiality is embedded at least implicitly in patient-provider interactions. The notion of confidentiality in health care has a strong professional tradition that has suffered progressive erosion due to thirdparty reimbursement schemes, managed care and other health care organizational structures, and the perceptions and culture of professionals within modem health care systems. One third of medical professionals have indicated that information is given to unauthorized people “somewhat often”. [Barrows, 1996]

Ethical issues in healthcare database risk management

Clinical research must be done in the utmost respect of ethical concerns [Beecher, 1966].The rights to privacy and confidentiality are intimately connected with the right to respect for one’s dignity, integrity and autonomy are constitutionally enshrined in the Canadian Charter of Rights and Freedoms and Quebec’s Charter of Human Rights and Freedoms [CIHR, 2002]. Privacy and confidentiality lie at the root of international and national ethics guidelines, as well as professional codes of deontology [CIHR, 2002] [CIHR, 2004]. They are the principal drivers of the requirement for adequate treatment of risk in healthcare organisations [Senate, 2002]. Legal uncertainty also makes it difficult for consumers to be aware of and understand their privacy and confidentiality rights [Buckovich, 1999].

The core principles at the heart of Canadian privacy legislation form the basis of the Canadian Standards Association [CSA, 2003] Model Code for the Protection of Personal Information are [CIHR, 2004], this with [WMA, 1994] [WMA, 1995] [WMA, 2002] [Buckovich, 1999] [CIHR, 2004], identifies the following areas of risk that need to addressed in a CDW:

  • Policies

  • Confidentiality;

  • Privacy;

  • Integrity;

  • Availability

  • Safeguards;

    1. Limiting Collection

    2. Management controls;

    3. Processes to enable Challenging Compliance; and

    4. De-identification of data;

    5. Secure transmission of data;

    6. Accountability;

  • Openness;

    1. Informed consent;

    2. Identifying Purposes;

    3. Access to information by patients (right to withhold, segregate, amend and copy);

    4. Limiting Use, Disclosure, and Retention;

    5. Full disclosure (No secret databases shall exist);

    6. Non-commercial use (No medical record shall be sold, utilized for marketing purposes without the prior informed consent of the individual);

  • Documentation and training

This is in accord with the requirements of the declarations of Lisbon [WMA, 1995], Geneva [WMA, 1994], Helsinki [WMA, 2002], as well as [Belmont, 1979] [Helsinky, 1964] [Nuremberg, 1949] [Harkness, 2001].

Challenge: The selection and categorization of the different areas of risk that comprise the overall risk and areas of threats that should be considered in the implementation and use of a clinical data warehouse.

This would be a significant improvement when compared to the commonly used approaches that are mainly concerned with confidentiality, integrity and availability. This would also be better suited to the identified requirements that we have found in literature.

Combining the requirements

If we put this in the form of a table, the requirements could be represented as:

Risk Requirement category

Stakeholder category








Documentation and training


1, 14, 35, 54, 57, 58, 60

7, 47, 66

2, 3, 4, 8

1b, 5, 6, 9, 11, 38, 39

14, 29, 30, 35, 36, 37

24, 50


Data users


7b, 64, 65, 69, 70



40, 43

17, 18, 19, 35

19, 24, 42, 44, 45, 75, 76, 77, 78, 79, 80, 81, 82, 84

25, 48

Healthcare organisations

14, 33, 54, 56, 60, 61

7b, 66

9, 10, 12, 13

26, 40, 61

14, 15, 16, 17, 18, 29

24, 50, 87

25, 48, 51

Healthcare professionals 32, 58, 59, 62 46 73 9, 59 33 31, 33 32 25
Professional associations 13 52 25
Healthcare industry 13 26 15, 16


13, 20


15, 18,




15, 16, 18, 22, 29

28, 50


NGOs and Community groups








IT staff 34, 56, 60, 61, 63 7b, 66, 69, 71 10 26, 40, 61 35 19, 23, 24, 27, 34, 83, 85, 86, 88, 89, 90 25, 48

IT industry




The requirements presented in this table were identified in our literature review a complete list of the requirements with the references are presented in Annex a.

Challenge: further work could identify additional requirements that have been missed, further analysis may be needed. As well the list of stakeholders and the categorization of stakeholder groups requires validation.

1 [ISO/IEC 7498-2] as described in [ISO 1335-1]

2 American Society for Testing and Materials Committee E31 on Healthcare Informatics, Subcommittee E31.17 on Privacy, Confidentiality, and Access. Standard guide for confidentiality, privacy, access, and data security principles for health information including computer-based patient records. Philadelphia, Pa.: ASTM, 1997:2. Publication no. E1869-97. As cited in [Buckovich, 1999]

3 (ISO/IEC 13888-1:1997; ISO IS 7498-2:1989) as defined in [ISO 13335-1]

4 Calvin C. Gotlieb. Privacy: A Concept Whose Time Has Come and Gone, In D. Lyon and E. Zureik, editors, Surveillance,

Computers and Privacy, pp. 156–171. University of Minnesota Press, Minneapolis, 1995 as cited in [Thompson, 2001]

5 American Society for Testing and Materials Committee E31 on Healthcare Informatics, Subcommittee E31.17 on Privacy, Confidentiality, and Access. Standard guide for confidentiality, privacy, access, and data security principles for health information including computer-based patient records. Philadelphia, Pa.: ASTM, 1997:2. Publication no. E1869-97. As cited in [Buckovich, 1999]

Definitions of risk

This document presents various definitions of risk found in litterature.
It is intended as a tool for students.

The word risks has its origins in the Middle-Ages Italian word risco,meaning jagged rock, used by early insurance companies to indicate the danger at sea.


From the Latin resecum.


Risk is discontinuity


Risk is dysfonction


Risk is disaster


Risk is the difference between what was expected and happened


Risk is the Probability of a negative event while considering its consequences.


Risk as an undesirable event.


In some situations, risk is equated to a possible negative event.


Levin and Schneider (1997; p. 38) defines risks as “… events that, if they occur, represent a material threat to an entity’s fortune”. Using this definition, risks are the multiple undesirable events that may occur. Applied in a management context, the “entity” would be the organization. Given that perspective, risks can be managed using insurance, therefore compensating the entity if the event occurs; they can also be managed using contingency planning, thus providing a path to follow if an undesirable event occurs. This definition of risk is analogous to the concept of risk as a possible reduction of utility discussed by Arrow (1983).


Risk as a probability function. Some fields, instead of focusing on negative events, are primarily concerned with the probabilities of an event. For example, medicine often focuses solely on the probability of disease (e.g. heart attack), since the negative consequence is death in many cases. It would be useless to focus on the consequence itself since it is irreversible. Odds of occurrence are the key element. Data is used to determine what can influence those probabilities (heredity, smoking habits, cholesterol level, etc.). In its definition of sentinel events (occurrence involving death or serious injury), the Joint Commission on the Accreditation of Healthcare Organizations uses “risk” as the chance of serious adverse outcome (Kobs, 1998). Life insurance adopts this approach and uses mortality tables to evaluate these probabilities. In this context, a “good risk” will be a person with a low probability of dying within a given period (and hence, for the insurance company, a low probability of having to pay a compensation) and a “bad risk” would be a person with a high probability of dying within the period.


Risk as variance. Finance adopts a different perspective of risk, where risk is equated to the variance of the distribution of outcomes. The extent of the variability in results (whether positive of negative) is the measure of risk.


Risk is defined as the volatility of a portfolio’s value (Levine, 2000). Risk management means arbitrating between risk and returns. For a given rate of return, managers will prefer lower volatility but would be likely to tolerate higher volatility if the expected return was thought to be superior. Portfolio managers therefore aim to build a portfolio that is on the efficient frontier, meaning it has “the highest expected return for a given level of risk, and the lowest level of risk for a given expected return” (Schirripa and Tecotzky, 2000; p. 30).


Risk as expected loss. Other fields, such as casualty insurance, adopt a perspective of risk as expected loss. They define risk as the product of two functions: a loss function and a probability function. Car insurance is a good example. In the eventuality of an accident, there is a loss function that represents the extent of the damages to the car, which can range from very little damage to the total loss of the car. There is also a probability function that represents the odds that an incident will occur. The expected loss (risk) is the product of these two functions (Bowers et al. 1986).

While in certain circumstances, the probability of occurrence of an undesirable outcome can be estimated on the basis of past performance characteristics of the object under study (Linerooth- Bayer and Wahlstrom, 1991), in several areas, probabilities are often difficult, if not impossible to assess on the basis of past performance (Barki, Rivard, and Talbot, 1993). Consequently, several risk assessment methods adopt the approach of approximating the probability of undesirable outcomes by identifying and assessing factors that influence their occurrence (Anderson and Narasimhan,1979; Boehm, 1991; Barki et al., 1993).

In a software development context, for instance, Barki et al. [5] have identified such factors, which belong to five broad categories: technological newness, application size, software development team’s lack of expertise, application complexity, and organizational environment. The degree to which each factor is present in a software project will contribute to increase the probability of occurrence of an undesirable outcome (here, project failure). Once this list is drawn, risk management methods try simultaneously to reduce the loss related to the undesirable event itself (such as penalties compensating for delays in the system delivery) or by reducing the probability of occurrence of such an event, by reducing the level of the risk factors (for example, by carefully selecting team members). While the definition of risk is not explicit about probability distribution, these probabilities (taking the form of factors) are taken into account when the risk evaluation is performed.


First it is necessary to define risk – “the combination of the probability of an event and its consequences.”2 There can be more than oneconsequence from an event and the consequences can be positive or negative. For safety and environmental risks, most of theconsequences of interest are negative in value and impact human health in terms of mortality and morbidity risks.


In business terms, a risk is the possibility of an event which would reduce the value of the business were it to occur. Such an event is called an « adverse event. » Every risk has a cost, and that cost can be (more or less precisely) quantified. The cost of a particular risk during a particular period of time is the probability of an adverse event occurring during the time period multiplied by the downside consequence of the adverse event. The probability of an event occurring is a number between zero and one, with zero representing an event which will definitely not occur and one representing an event which definitely will occur. The consequence of an event is the dollar amount of the reduction in business value which the event will cause if it occurs [Har]


Risk arises because users are consciously aware the information is ofuncertain quality and that relying on poor information , knowledge, or the documents they produce.


In our interviews, several respondents openly acknowledged that they could never achieve 100% security on their own because their risks are often created by the behaviors of others who also lack the incentive to heighten security.


Another way to estimate the intensity of the competition consists of making the link between the principal players’ market shares and the “generic medicines” risk, in other words the percentage of patent medicines’ sales for which the patent will be up during a given period.


March and Shapira (1987) observe that according to classical decision theory, risk is generally understood to be the distribution of possible outcomes, their likelihood, and their subjective values. In project management, this definition can be applied to time, cost, performance, and many other influential factors in any project that impact these three concerns. However, project managers, firms, and stakeholders rarely share the very same view or opinion of what the possible outcomes are for a project, much less their likelihood. Kahneman

Informational Risk management requirements in healthcare

Today, Information Technology (IT) has become necessary for the provision of efficient healthcare services. As computers are becoming integrated in almost every technology, healthcare is a domain that has benefited significatly from technological innovation. Healthcare workers rely ever more on the timely availability of acurate, quality information in all aspects of patient care, public health and healthcare management. Trustworthiness in stakeholder communication and co-operation throughout the complete lifecycle of health data, starting with an informed consent, while respecting an individual’s rights (including the right to privacy) is fundamental, expected by the stakeholders and necessary. These reasons and others bring to the forefront a new source of concern for patients, healthcare workers and other stakeholders: Informational Risk. The management of Informational Risks, in a formal organisational process, in a healthcare organisation is what we define as Healthcare Information Risk Management or HIRM. The goals of HIRM are:

  • To ensure the privacy of patients and the confidentiality of health care data by the prevention of the unauthorized disclosure of information;
  • To ensure the integrity of health care data by the prevention of unauthorized or accidental modification of information;
  • To ensure the timely availability of health data for authorized persons by the prevention of unauthorized, accidental or unintended withholding of infomation or resources.


The word risk finds it’s origins in the middle-age Italian word risco, meaning sharp rock. In the 17th century, as the early insurance companies where involved in maritime shipping, risk evolved from meaningt sharp rocks that where a source of danger for ships to signify the danger that future expected results may be negatively impacted. Since the introduction of probabilities by Blaise Pascal and the early work of french philosopher Jean-Jacques Rousseau on uncertainty, the idea has developed that risk is something that can be studied and managed. Risk stems from uncertainty surrounding potential future states and the consequences of those states should they occur. In epidemiology, it is most often used to express the probability that a particular outcome will occur following a particular exposure. Informational Risk is defined as risk that my impact the timely availability of acurate quality information.

There are many different types, or category’s, of risk.  Most will be familiar wit financial risks, environmental risks, operational risks, and insurance risks to name only a few.  As risk is present in all endeavors there is a near infinite list of different types of risks. An organization must identify the activities where risks are the most significant for the organization.  This may be motivated by several factors such as its legal obligations, the expectations of its stakeholders or for other reasons considered significant by managers in the organization.  When an outcome is certain that we do not have risk, we have a certainty.

Components of risk

Risk can be defined in the mathematical fashion by a simple equation.

Risk = threat x likelyhood x impact

While risk is directly proportional to the likelihood of their realization of a threat and is directly proportional to the impact, risk is inversely proportional to risk mitigation measures that are implemented by an organization.  There is a limit at which the impact no longer affects risks in a significant fashion, for example, when a building is damaged in such a fashion that it can no longer be used and must be destroyed, it is likely that additional damages would have much significant impact.  As well this relationship between risk and impact should not be understood to be a linear one.  The same fashion risk mitigation measures will reduce risk to a certain limit.  There is a point where risk mitigation measures may actually begin to increase risk, for example because of the increase in complexity it may bring to information systems.

While several theories have been developed in the past, particularly in relation to gains and financial investments, there is no single mathematical representation of risk that can apply to all situations.  This is why risk can be regarded as a state of mind than as a quantifiable object.

In any business activity, operation or opportunity, internal or external forces will generate pressures, that we see having an influence on the amount of risk perceived from within.  These internal or external forces are seen as threats to the achievement of the expected outcome.  If by looking at the processes we are able to identify these forces that it may be possible to get an understanding of risk at a moment in time in an organization.  The probability of the realization of a threatening situation while considering the risk mitigation processes in place in an organization formed the basis of risk management. There are various types of risk such as financial risks, insurance risks, health risks, environmental risks and many other categories.  Our principal interest is in risks that affect information technology, systems and data as well as risks that are generated by the integration of information technology in organizations, which we refer to as Informational Risks.

Informational Risk is composed of the following three component parts:

  • Threat
  • Vulnerability
  • Impact

For risk to exist requires the presence of a threat or of several threats that may materialize and have a negative effect on the expected outcome.  The possible negative outcome, the impact, should have an effect on how much resources an organization should reasonably put forward to mitigate the impact of the realization of the threat or to put in place tools or processes to reduce the likelihood that the threat materializes.  Risk Management is concerned about threats that may have a negative impact, however it should be noted that this may not always be the case. Risk assessment methodologies tend to give more significance to events that may negatively impact the desired outcome.

Specific Guidelines

In assessing HIRM, an organisation must consider its requirements. These can be constructucted from a variety of sources such as:

  • Applicable laws and regulation;
  • International treaties and conventions;
  • Healthcare authority rules and directives;
  • Codes of ethics and of deontology;
  • Standards, Best practices and guides such as this one;
  • Internal organisational policies, procedures;
  • Organisational requirements, objectives and goals.

Additional sources can also be used, in accordance with the specific situation of a particular healthcare organisation. Overall, these requirements need to be transferred into IT security requirements, generally expressed in relation to Confidentiality, Integrity and Availability. For example, [ISO17799] does not define exact requirements for how to proceed, it requires an organization to put in place a formal process to identify, quantify and prioritize risks against criterias and objectives relevant to the organization. This implies that an organization must first define what these criteria and objectives are, expressed in relation to the seven attributes of risk (confidentiality, integrity, availability, non repudiation, control of the origins of data, controls of the origin of user access and access controls).

Organisations who have built a capacity to perform risk assessments and achieved a certain level of maturity in risk assessment may want to further detail these requirements. This, however, should not be attempted in initial risk assessments. Detailed requirements in healthcare may include many of the requirements identified in the list below:

  • Policies
  • Confidentiality;
  • Privacy;
  • Integrity;
  • Availability
  • Safeguards;
    1. Limiting Collection;
    2. Management controls;
    3. Processes to enable Challenging Compliance;
    4. De-identification of data;
    5. Secure transmission of data;
    6. Accountability and Non-repudiation;
  • Openness;
    1. Informed consent;
    2. Identifying Purposes;
    3. Access to information by patients (right to withhold, segregate, amend and copy);
    4. Limiting Use, Disclosure, and Retention;
    5. Full disclosure (No secret databases shall exist);
    6. Non-commercial use (No medical record shall be sold, utilized for marketing purposes without the prior informed consent of the individual);
  • Documentation and training

Once these objectives have been identified, the organisation can determine the presence of a threat or of several threats (recognition of threats) that have some probability to materialize. The likelihood that a threat may materialize and the significance of the impact taken together, should help the organisation priorizatize its risk treatment options, as identified in figure 1, and mobilize resources as required, achieving a level of risk within the organisation’s capacity to tolerate it.

Risk Management

At the strategic levels of healthcare organisations, HIRM techniques should be used proactively to measure, reduce and maintain risk to an acceptable level for the organisation and its stakeholders. Because of the complex interactions on IT throwout healthcare organisations, HIRM management activities should have high level management support and involve all stakeholders, at a level commensurate with their role. At a high level, HIRM activities, while considering organisational goals, capacities and constraints, include:

  • Identification of threats and vulnerabilities;
  • Priorisation of these threats and vulnerabilities;
  • Mobilisation of ressources to eliminate unacceptable risk or reduce the impact of threats and vulnerabilities to an acceptable level.

HIRM is often viewed a subset of information system risk management. However, the requirements for HIRM are different that those of IT in a corporate setting. A complex mixture of organisational, ethical, legal and deontological requirements must be met in HIRM. These all need equal consideration. In a corporate setting risk is often considered in relation to a future expected yield. In HIRM future expected value should include elements than are difficult to objectively quantify. These include elements such as Quality of life, Populational Health Levels, reduction of waiting times and others. The impact of HIRM can have human, ethical, legal, financial and even criminal consideration. Ethical issues, and in particular privacy issues, are not well addressed in current Risk Management Methodologies. These risks tend to be underweighted in corporate settings, thus resulting in Ethical risks and Privacy risks receiveing less attention. HIRM must consider this when applying any Risk Assessment or Risk Management methodology.

HIRM should be an on-going activity, capable of continuously evolving and improving with the organisation’s needs and society’s expectations. While choosing to incorporate HIRM processes in a cyclical plan – do – check – act exercise, such as proposed in ISO 27001, will allow organizations to proceed in a careful and paced matter.  In our experience this has proven to provide the best results.

Risk treatment

Risk treatment, as the name implies, it is about the possible options and organization has to deal with risk.  Our observations lead us to believe that all organizations have some form of the risk treatment process.  Many organizations, most notably those that are lead by their founders, have implemented in formal risk management processes that can best be described as gutt feelings. Managers, who feel they have a keen understanding of their market, their organization and its environment will often make decisions about risk based on their experience, their abilities and their perception of a particular threat.  While this has worked well in the past for many organizations it is no longer considered acceptable when considering laws, international treaties, ethical issues and the expectations of the general population.  Organizations today need to put in place formal risk treatment processes, often referred to as a risk management framework, to fulfill its legal and contractual obligations as well as meet the expectations of its stakeholders.

In theory they are only for ways to deal with risk. Risk can be transferred, avoided, mitigated or accepted.

Figure 2: The treatment of risk (4 boxes)

Risk transfer

Risk transfer, as its name states, has to do with the transfer of risk from an organization to an external party.  An insurance policy is a form of risk transfer.  In recent years, post 9-11, Cyber insurance are becoming more and more available.  While this was not a popular option only if you years ago it may be an excellent way to manage certain types of risks.  While it has little to do with the threat itself or which organizational assessments of the likelihood of realization of a threat, risk transfer will greatly reduce the organizational impact of the realization of a threat.  In Cyber insurance, for example, the evaluation of the likelihood of the realisation of a threat will be done by the insurer who will use this to determine the price of a particular insurance policy.

In relationship to a particular threat an organization who wishes to transfer risk might choose to take an insurance policy to protect against that specific risk.  An insurance policy has the benefit of providing and easily quantifiable cost for the risk mitigation decision.  Evaluating the pertinence of the risk mitigation decision is therefore made simpler because a quantifiable cost is attached to it. Risk transfer is a risk mtreatment option that allows a reduction in risk levels in exchange for organizational resources, most often money.

Risk avoidance

Risk avoidance is about not undertaking a certain activity because the organization has decided that the risk associated to it, considering its risk mitigation options, is too high.  It may be that the associated risk is perceived to be too high while in fact it may not be but the organization and its management feels that the risk is not worth the candle.

Risk mitigation

Risk mitigation is about the implementation of tools, business processes and organizational change to reduce the level of risk associated to a threat. Risk mitigation activities may take many forms such as the creation of an organizational risk management policy or the installation of a firewall.  Risk mitigation activities in an organization need to be supported by some form of risk assessment process.  This will allow organizations to measure the impact of a risk mitigation measure on organizational risk and allow the organization to maximize the use and the allocation of resources.  Risk mitigation is at the heart of what we are discussing in this article.  It is here that most organizations will spend the most time and money.  Implementing a firewall, for example, in an organization whose computer network is connected to the Internet, is a risk mitigation activity.  Reviewing business processes to evaluate the risks that are associated to them and identifying and implementing changes in the organization to better control these risks is risk mitigation.

Risk mitigation, like risk transfer is a risk treatment option that allows a reduction in risk levels in exchange for organizational resources, most likely money. Risk mitigation measures, like any change in an organization, need to be planned and implemented while respecting the organizational culture.  A particular difficulty in many risk mitigation implementations has to do with change and resistance to change.

Risk acceptance

Risk acceptance is like saying: I know there’s risk but I’m willing to live with it.  This should not be confused with a blind acceptance of risk.  As well it should not be understood to mean that no assessment, evaluation or management can be done.  Risk acceptance should be done only as a result of due diligence being performed in risk management. The organization must have given considerable thought to a threat and has determined that the risk is an acceptable level, considering the constraints of the organization, the likelihood of realization and the impact. Only then may be a reasonable treatment of risk.  However, if risk is accepted without being clearly understood risk acceptance may be a very risky proposition.

Organisational maturity

One of the first things an organization can do when dealing with information risk is to determine its level of organizational maturity.  The concept being that organizational change is a complex thing, a natural resistance to change and other organizational factors contribute to make it to this is necessary for change to be done at a rate that is consistent with the organizational level of maturity.

We suggest using the model proposed by the SSE-CMM standard (ISO/IEC 21827). This model is based on the capacity maturity model that is widely known in the information technology field.  In this model the level of risk maturity increases with the integration of risk management in the organization.  As well, the level of maturity increases with the level of organizational understanding of the different aspects and elements of risk that affect the organization.  While the level of complexity increases with the level of maturity, the organization acquires the ability to deal with it more efficiently.  To move from one level of maturity to a superior one requires an investment in resources, time, money and people.  It also requires other elements which are specific to the organisational requirements and constraints.

Figure : Capacity Maturity Model

One of the key elements in risk management in organizations has to do with the management of change.  Properly assessing where the organization finds itself any given moment in time in regards to its risk maturity will allow an organization and particularly its risk managers to put in place an action plan for the establishment of a risk management framework that will respect the organizations ability to change, its requirements as well as the culture of the organization.  We have found in our practice that moving to quickly to implement a risk management framework will most likely result in failure.

Developing a risk culture

Organizations who think about risk as an integral part of their business decision processes are most likely to manage risk appropriately in the short medium or long-term.  Successful organizations have developed sensibilities to risk at every level.  By making a risk a shared responsibility of all the members of an organization, they have developed what is called a risk culture. This should be an important goal of any organization who wishes to implement a formal risk management framework.

Developing a risk culture involves ensuring that all members of the organization have an understanding of existing and potential risks that there organization faces in its day-to-day activities.  These individuals tend then include risk management thoughts as a part of what they do.  So then risk will be considered in all aspects of the activities of the organization, in an area is where a risk management has always been present in some form, such as in financial activities, but also in area is such as logistics, application development, sales and all other business units within a small or large organization.

The first step towards this should probably be the nomination, or identification, of a risk champion.  The risk champion should be a senior and influential individual within the organization who has a clear mandate from the highest levels of the organization.  This individual should dispose of sufficient resources, such as time, staff, budgets and technology, at a level that is deemed appropriate considering the particular constraints of a given organization.  His job responsibilities should be made to include those required to appropriately manage known risks to the organization as well as provide enough flexibility so the risk champion may be able to respond to risk in all areas of the organization.  The risk champion can act as a single point of contact within the organization and between the organization and the outside world.

Communicating risk

A key for the implementation of a risk culture in any organization is communication.  Communicating information about risk to all members of the organization, at all levels, is a critical success factor for the implementation of a risk management framework.  From the inception of the project through its implementation as well as throughout the continuous improvement process, such as we propose here, informing that all stakeholders understand how they are affected by risk management activities is the best way to manage the natural resistance to change that is often the cause of failure of these types of projects.

While there is no single best way to communicate this information, we have found that there are certain approaches that seemed to be present in successful projects. Certainly visible management involvement and ownership of the project at the highest levels in the organization is critical.  This high-level ownership must be publicized throughout the organization.  We also find that the creation of a communication plan which should include direct communications, using e-mail or a newsletter, is a good way to go. Throughout the project and on an ongoing basis after the initial implementation the organization needs to receive positive reinforcement about the usefulness of the risk management framework and of its risk management activities in order to maintain the perception throughout the organization that it is necessary to allocate time, money and other resources to these activities.

A methodological assessment of Risk Analisys methodologies.

      by Marc-Andre Leger, DESS, MASc

          Lecturer, Graduate Programs in Governance, Audit and IT security
University of Sherbrooke, Quebec (Canada)


This article presents a n assessment of Risk Analisys methodologies using criterias. These criteria are applied to several methodologies and whose results are also presented. The methods CRAMM, ÉBIOS and Octave seem to have better results, while others, such as Méhari have acceptable results but requires a solid framing. Other methods are immature or unverifiable.


One of the tools in the arsenal of the Information Security (IS) professional and of organizations which wish to implement a formal process of informational risk management (IRM) is the Risk Analisys methodology (RAM). Many methods are currently available, some free, others at a significant cost. In certain cases, organizations have created their own RAM in order to meet specific needs and consider particular constraints. Each of these methods can prove to be an effective tool when it are used diligently in a well defined context. However, like any tool, they have limits. They can be usefull but often in a particular organisational context or a limited sphere of activity such as banks or Government Agencies. In the same way, like other methodologies used in academic research, they seek to measure concepts, in RAM the level of informational risk, via variables (such as the threat or impact) according to a measurement scales (for example: low, means, high). Several of the measured concepts cannot be measured directly (such as reading the temperature on a thermometer) but indirectly, requiring an individual to estimate the value of the measurement of the variable allotted to the concept. Thus like any methodology, the RAM must account for several sources of error or bias. For example, the selection of the individuals which gives the answers or the interpretation to be given to the answers will afect the results. As well, the type of measurements used, the type of analysis (explanatory or statistical) of the measurements and the manner in which the results are presented can affect interpretation of the results done by stakeholders.

In the field of medicine, it is necessary to determine the risk associated with the introduction of new protocols of  care or of new drugs. For historical and ethical reasons, the field of medicine systematized the use of methodologies in the last century. Several studies were carried out on the sources of errors and biases in methodologies. The goal being to make sure that the results of a study are faithful to the reality being examined.

This article presents a methodological assessment of RAM in relation to criterias from various sources, including requirements of methodological rigour resulting from medicine as well as criterias from international standards. A partial table is included at the end of this article. The complete table is available on: or on the authours website ( The principal concepts are also presented. The article then  presents the evaluation criterias used and the results as they where applied. It concludes with suggestions for future explorations.

Methodology used leading to this article

Various methodologies and certain methodological tools were examined. They were selected according to what is currently used or available in Quebec (Canada). They are:

Methodology Source Language Mcritical mass of users Available
Audicta Audicta – Medical technologies English and French No Yes
Callio Secura Callio English, French and others No No
CRAMM Insight a division of Siemens English Yes Yes
ÉBIOS France (DCSSI and Club EBIOS) English, French and others Yes Yes
ISO 13335-2 ISO English No No
IRAM GAC-BNF English No No
IVRI by the author of this article French No No
OCTAVE CERT at Carnegie University Melon English Yes Yes
RiskIT R&D-Ware OY English No Yes
RiskPro HEC (MONTREAL) – CIRANO French No No

Table 1: Methodologies assessed

Some of these methodologies are not presented in this article because they where either not easily available for analysis (IRAM, RiskIT, Risk Pro) or they are no longer available following the suspension of activities (Callio) or the abandonment of the project (ISO 13335-2, IVRI). Although there are many other methodologies available worldwide, they could not be identified and added within the scope of this study.

Methodologies for the analysis or management of risk were analyzed individually by the author by applying criteria presented below. When possible, copies of the documents and the tools being evaluated where obtained. The results were then compiled in a table which was circulated with an group of experts in Risk Management and with experts of various RAM. When necessary, additional explanations were provided the the experts. The experts subjected suggestions for corrections which were integrated in a revised table, which is presented with this article. When needed, when there was absence of consensus on the comments, discussions took place in order to arrive at the final results.

Of analyzed methodologies, only four (4) could show a sufficient number of users to ensure perenniality: CRAMM, ÉBIOS, Méhari and Octave. In the other cases, available information did not make it possible to reasonnally believe that the number of users was sufficiently important to ensure its survival in the long run internationally.

What is Risk

Information Security (IS) refers to two concepts: security and information. Security being defined as the absence of unacceptable risks. Informational Risk Management aims to preserve or improve quality of the informational assests of an organization in relation to it’s expectations (eg. availability, integrity) or of the expectations of its customers (eg. protection of privacy). Security is also necessary because technology applied to information creates intrinsic risks. For example, a piece of hardware has a limited lifespan and is subject to breakdowns. But these many of these problems can be foreseeable, data being available on the capacities and the performances of hardware (eg. Mean Time Between Failure). The risk of breakdown which can be estimated objectively on the basis of statistical data, the risk can be seen as the probability, over a given period, to have to repair a given piece of hardware. Thus there are several possible definitions of the risk. It is necessary to find a definition of risk. Unfortunately, much of what was written on the risk is based on anecdotic data or studies limited to a particular aspect. The use of these definitions is dubious. It is essential to define what risk means for this article.

The word risks has its origins in the Middle-Ages, in the Italian word risco, meaning jagged rock. It was used by early insurance companies to indicate the danger at sea. The word also draws its origins from the Latin resecum. The eatly insurance companies (17th century) ensured ships and their cargo against the risco… the term evolved to become the word risks. Risk is often defined as a combination of the probability of occurrence of a damage and its gravity. For Knight, a significant author on risk in his time, risk refers to situations by which the decision maker assigns mathematical probabilities to random events which he faces. Risk is also defined as a variation in the results (outcomes) which can occur over a predetermined period in a given situation. Risk is also a function of the distribution of the variance of the probabilities. Basically, risk is a social construct, it depends on that which perceives it. The majority of the definitions of risk integrate some element of subjectivity, according to the nature of the risk and the field in which the definition applies. But there is also an objective risk, quantified in insurance policies car, for example. The various definitions of the risk are integrated in an operational definition of risk for this study. Risk is:

  • A discontinuity
  • A dysfonction
  • A disaster
  • The difference between what was expected ($) and reality
  • The Probability of an event and its Consequences

Informational Risk depends on inacceptability in relation to expectations of value of informational assets, often declared prospectively within an organization. Expectations are established on the basis of of policies, strategy and context (political, environmental, social, technological and economic). In a way, in Informational Risk Management (IRM), it is necessary to delimit the sandbox (limits of the organization) and to trace a line in sand (baseline) on the basis of the expectations and the context which delimits what is acceptable and what is not it, what is our part of the sandbox and what belongs to others (externalities).

Objective risk is present when the variation exists in the real world (natural) and is the same for all individuals in an identical situation. This is distinct from subjective risk, when there is an estimatation of objective risk by an individual or a group. Risk is different from uncertainty, when the randomness cannot be expressed by probabilities, even subjective. The word risk is generally used when there is at least the possibility of negative consequences. This article does not discuss uncertainty, which will be mitigated in organization by Change Management, Business Continuity Planning or Incident Management functions. It will not be either question of positive consequences, not being a concern of IS as such.

What is a methodology

The word methodology literally means science of the method. A methodology is a meta-method, a method of methods, which can be viewed as a kind of toolbox. In this toolbox each tool is a process, a technique or a suitable technology to solve an enigma or to determine the value of a particular variable. When an individual works in a field of knowledge, a methodology makes it possible to establish a succession of actions to be carried out, questions to be posed, choices to be made, which make it possible to undertake in a more effective way a study or the resolution of a problem. It is one of the elements which make the difference between an art and a profession. In research, a methodology is this systematization of the study, independently of the subject of the study itself. It is what makes it possible to obtain results which have a demonstrable scientificity, which can be reproduced or verified by individuals external to the study. It is a fundamental building block of modern scientific knowledge.

A methodology for informational risk assessment proposes a series of activities and tools making it possible to analyze the informational risk in a precise context and at moment in time. In medical research various qualities are necessary and expected of a methodology:

Credibility: The results of the analysis of the data collected reflect the experiences of the participants or the context with credibility.

Authenticity: The perspective of the participants are presented in the results of the analysis and show understanding of the subtle differences in opinion of all the participants.

Criticality: The analisys of data collected and the results shows signs of evaluation of the level of criticality.

Integrity: The analysis reflects a validation of repetitive and recursive validity associated a simple presentation.

Clarity: The methodological decisions and interpretations, as well as the particular positions of those which performed the study are considered.

Realism: Rich descriptions and respecting reality are clearly illustrated and with liveliness in the results.

Creativity: Methods of organization, presentation and creative analysis of the data are incorporated in the study.

Exhaustiveness: The conclusions of the study cover the whole of the questions put forward at the beginning in an exhaustive way.

Congruence: The process and the results are congruent, go hand in hand one with the others and do not fit in another context only that of the studied situation.

Sensitivity: The study was made considering human nature and the sociocultural context of the studied organization.

The following table presents the synopsis of the evaluation of the treatment of these different criterias in the methods studied.

Credibility Yes Yes Yes Yes Yes
Authenticity No No No No No
Criticality Yes Yes Yes Yes Yes
Integrity Yes No Yes Yes Yes
Clarified No No No No No
Realism No No Yes No No
Creativity Yes No Yes Yes Yes
Exhaustiveness No No No No No
Congruence Yes Yes Yes Yes Yes
Sensitivity Not Not Yes Not Not

Table 2: the synopsis of the evaluation of the treatment of the criterias in the analyzed methods.

The table shows that none of the methodologies meet all of the assessment criterias of their results.

Why is this important?

According to Jung, there are two ways of obtaining information on the world which surrounds us: directly perceived by our senses (e.g. one can touch, feel or see) or by intuition which bring contents from the unconscious to conscious (e.g memory of acquired knowledge). Cognitive psychology teaches that this information, although it can seem exact to the individual, is prone to a number of biases, such as:

  • paralogisms (errors of reasoning) both formal and informal
  • cognitive dissonance
  • judgement heuristics
  • perceptual variations due cultural or social factors
  • the limits of vigilance

Internal validity refers to the exactitude of the results. There is internal validity when there is agreement between the data from the field and their interpretation in the results of the study. A study can be considered for its internal validity, i.e. it is true for the population being studied, meaning that the results of the study correspond to what was studied for these individuals at a given time. Without performing an in-depth study it was not possible to evaluate the internal validity of all methodologies. As for the external validity, which refers to the generalizability of the results (allows to draw some the impartial conclusions about a population larger than the whole of the subjects studied), this aspect of validity is important only with regard to one particular target population external to a study, which is less critical for small organizations taking into account the limited use of RAM but more significant to large organizations. For example, the results of an RAM carried out with seven participants in a business unit can be generalized with the whole of the organization (where a target population being made of the whole of an organization and the population that participated in the study made of seven individuals in a single division). Here also, without formal controls and making an in-depth study, it is impossible to evaluate external validity.

Expressed simply, it is important to use a quality RAM for the following reasons:

  1. the process must be independent of those which carries it out
  2. the results of the analysis must be representative of reality
  3. the results are used to make decisions.

The measurement of the variables

A first problem relates to the measurement of the variables which one seeks to study at the time of a Risk Analisys. Measurement is the attribution of numbers to objects, events or individuals according to preestablished rules’ with an aim of determining the value of a given attribute. In scientific research, a variable is a concept to which a measurement can be given. It corresponds to a quality (e.g. small, large) or to a character (e.g. size, age) which can be identified to an element (people, events) being subject of a research and to which a value is allotted. The variables are connected to the theoretical concepts by means of operational definitions, used to measure concepts which can be classified in various ways according to the role they fill in a given research.

A part of informational risk can be measured objectively on the basis of historical data of an organization: the objective informational risk. However few organizations have a quantity of reliable objective data over a sufficient period of time to use them effectively. It is important to note that there are, in this part of risk, problems of distribution of the probabilities which requires explanation. If an individual can assign a potential risk on the basis of probability of realization of future events, the individual often assumes that these events are distributed normally over time and a very large number of observations. This measurement is very questionnable without a sufficient knowledge base and a large number of observations.

All that cannot be measured objectively must be measured subjectively. Thus all risk that is not objective risk is placed, in this article, in the category of subjective informational risk. Any methodological approach seeking to determine the situation of an organization as regards to the management of subjective informational risk, must integrate ways of identifying expectations of the organization (values and beliefs) by the individuals which composes it and by the documents (artefacts) available. From a methodological point of view, a qualitative approach is the most likely solution to enable the description of the phenomenon of  informational risk in its particular context taking into account the current state of knowledge. Methodological controls that apply to qualitative research methodologies are thus necessary in order to be ensured of the congruence of the results of an RAM with the reality of the organization. If one could not guarantee the validity of the results, one opens the door with criticisms on the results and the possible recommendations following a study.

Measurement scales

One distinguishes discrete measurements (using categories) from continuous measurements. Continuous measurements use numerical values according to defined rules of measurement (quantity, length, temperature). It makes it possible to determine if a characteristic is present and, if so, to which degree. Measurement scales are usually classified in four categories, as presented in the table below by ascending order of precision and complexity of possible mathematical calculation.

Scale of measurement Description Example(s)
Ordinal scale Classifies the objects in categories.
The numbers are numerical but do not represent relative values or quantities.
Nonparametric tests and descriptive statistics can be used.
Male or female sex, race, religion.
Ordinal scale The objects are classified by order of magnitude.
The numbers indicate rank and not quantities.
The use of descriptive statistics is possible.
Can allow the statistical use if there is a subjacent continuum of intervals
Degree of schooling: Secondary 1, secondary 2, secondary 3

Level of low, average or high exposure.

Wage category: modest (0 to 20000$), Low (20001$ to 35000$), etc.

Interval scale The intervals between the numbers are equal.
The numbers can be added or withdrawn.
The numbers are not absolute because the zero are arbitrary.
A great number of statistical operations allows.
The temperature measured in degrees Celsius
Proportional scale The scale has an absolute zero.
The numbers represent real quantities and it possible to carry out on them all the mathematical operations.
The temperature measured in Kelvin degrees, the weight in kilograms, size in meters, income in dollars.

Table 3: categories of measurement scales

It is critical to ensure that scientific rigour is present in the measurement scales used in any RAM. Certain methods use qualitative data to which are assigned numerical values on which statistical analysis is carried out. Furthermore, these assigned values are used in mathematical calculations, this is rather problematic from a rigour point of view. The passage from qualitative data to quantitative data can’t be made without being supported by a rigorous framework which must be rigorously validated. If not, then the significance of the results and their precision is highly questionnable. For example, imagine an election survey with an unknown error margin.

The majority of methodologies analyzed use ordinal or interval scales. This type of measurement scale is not adapted for complex mathematical operations, but can be the subject statistical of analysis. The problem is that certain methodologies (Audicta, CRAMM and MÉHARI) carry out apparently complex mathematical operations which are not adapted taking into account the measurement scale used. Audicta and CRAMM seem to have methodological controls to dominate the situation, however these are not well documented. In the case of ÉBIOS, the matrix approach avoids this problematic situation. Octave is the only one which was found to use a proportional scale allowing an optimal use of the data.


It is essential to question sampling in RAM. If an investigator meets a limited number or sample of subjects in an organization to obtain information allowing him to assign values to variables, it is essential that these subjects provide answers which are able to provide a real and complete portrait of the situation: the sample must be representative of the whole organisation or population which it represents. All methodologies in this article have a nonprobabilistic sample determined by reasoned choice. What this means is that, in each case, the individuals who take part in the study, the sample, are chosen by the investigators who perform make the Risk Analisys. Thus many selections biases are introduced, dependent on human relations, availability, organisational and individual priorities and many others. Thus all methodologies seem to use a sample for which it is not possible to determine it’s representativeness. It is thus dubious that the whole of the situation, such that it exists in reality, could be expressed in the results of the RAM. In the same way there are no controls, such as data saturation, in order to be ensured as everything is being said on the situation under analysis by the individuals who are included in the sample. Here as well additional study is required to determine the correct sample size for each RAM and how it compares to what is actually done.


The detailed table, available on the web ( ), applies methodological controls used in the field of clinical research and taught to graduate students of the Faculty of Medicine of the University of Sherbrooke, as mentioned at the beginning of article. The table makes it possible to have an outline of various methodologies available to Quebec in 2006. As explained in the article, none of the methodologies studied meet the whole of the criterias of evaluation.

Although it is difficult to show the superiority of a method on another, it is apparent that certain are methodologiquely more rigourous than others. The methods CRAMM, ÉBIOS and Octave seem more rigourous than the others. Méhari is in a second category of good methods but which requires a solid framing (training, qualified consultants, external audit) to limit biases. Other methods are either unavailable, immature or unverifiable. However any method used by a trained and qualified expert is likely to give results which have a certain value for an organization. It would be necessary to carry out a thorough investigation to make it possible to draw the truly solid conclusions, which is not very probable considering the little attention rigour seems to be getting from Information Security Specialists.


Beucher, S., Reghezza, M., (2004) Les risques (CAPES Agrégation), Bréal

Blakley, B., McDermott, E., Geer, D.(2001), Session 5: less is more: Information security is information risk management, Proceedings of the 2001 workshop on New security paradigms, September 2001

Fortin, M.-F., Côté, J., Filion, F. (2006). Fondements et étapes du processus de recherche, Chenelière Éducation, Montréal (Québec), 485 pages

ISO (1999) Guide 51  security aspects,  Guidelines for their inclusion in standards, International Standards Organization

ISO (2002) Guide 73, Management du risque, Vocabulaire, Principes directeurs pour l’utilisation dans les normes , International Standards Organization

Knight, Frank H. (1921) Risk, Uncertainty, and Profit,  Boston, MA: Hart, Schaffner &  Marx; Houghton Mifflin Company

Office québécois de la langue française (2005) Grand dictionnaire terminologique, en ligne:

Robin Whittemore, R., Chase, S., Mandle, C. (2001) Validity in Qualitative Research, Qualitative Health Research, Vol 11 No 4, pages 522-537

©December 2006, Marc-Andre Leger