|
|
|
This table is explained here
|
Criterion
|
Source of the criterion |
Audicta
|
Callio Secura
|
CRAMM |
ÉBIOS
|
ISO 13335-2
|
IRAM
|
IVRI
|
MÉHARI
|
OCTAVE
|
RiskIT
|
RiskPro |
|
Is this the first version? |
Léger(2006) |
No | No | No | No | No | Yes | No | No | No | Yes | No |
|
Version: |
Léger(2006) |
|
|
5.1 |
2 |
|
No yet available |
2.1 |
|
|
|
The tool was re-examined in 2004. |
|
Source or distributor: |
Léger(2006) |
Audicta - Medical technologies |
Callio |
Insight (Siemens) |
DCSSI and Club EBIOS |
ISO |
GAC-BNF |
MA Leger |
Clusif |
CERT |
R&D-Ware OY |
HEC - CIRANO |
|
Coordinates: |
Léger(2006) |
www.audicta.net | www.callio.com | www.insight.co.uk | www.ssi.gouv.fr | www.iso.ch | www.leger.ca | www.clusif.asso.fr | www.cert.org | www.rdware.com | http://gresi.hec.ca | |
|
Are there data available on the number of users or licences sold? |
Léger(2006) |
No | No | No | Yes | No |
No |
No | No | No | No |
No |
|
If so, which is it? |
Léger(2006) |
Do No know |
Do No know |
Do No know |
+2500 |
Do No know |
Do No know |
Do No know |
Do No know |
Do No know |
Do No know |
Do No know |
|
Which type of methodology? |
Léger(2006) |
Management of risk | Management of risk | Management of risk | Management of risk |
Management of risk
|
Analyze of risk |
Analyze of risk
|
Management of risk |
Analyze of risk
|
Analyze of risk
|
Others: evaluation and measurement of the risks |
|
Is methodology documented? |
Léger(2006) |
Yes | Yes | Yes | Yes | Yes |
Yes |
Yes | Yes | Yes | Yes | No |
|
Is documentation available in French? |
Léger(2006) |
Yes | Yes | No | Yes | No |
No |
Yes | Yes | No | Yes | Yes |
|
It is accompanied by tools? |
Léger(2006) |
Yes | Yes | Yes |
Yes |
No |
Yes |
Yes | Yes | Yes | No | Yes |
|
Which? |
Léger(2006) |
Audicta |
Secura 7799 |
Expert Cramm |
Free software EBIOS |
Not applicable |
IRAM |
Excel File |
Risicare |
CERT |
Not applicable |
Questionnaire of evaluation of the risk of impartition Questionnaire of evaluation of the risk of establishment of a software package |
|
Are the tools available in French? |
Léger(2006) |
Yes | Yes | No |
Yes |
Not applicable |
No |
Yes | Yes | No |
Not applicable |
Yes |
|
Which is the cost? |
Léger(2006) |
20000$ |
7000-12000$ |
5000$ |
Free |
200$ |
Available to the Members of the ISF (50000$) |
Free - open licence |
3000-10000$ |
5000$ |
Not applicable |
Free |
|
Are the tools multi users? |
Léger(2006) |
Yes | Yes | Yes |
Yes |
Not applicable |
No |
No | No | No |
Not applicable |
Yes |
|
If so, do they integrate Workflow? |
Léger(2006) |
Yes | Yes | Yes |
No |
Not applicable |
No |
No | No | Yes |
Not applicable |
No |
|
They integrate access controls |
Léger(2006) |
Yes | Yes | Yes |
Yes |
Not applicable |
No |
No | No | Yes |
Not applicable |
Yes |
|
Is it convivial? |
Léger(2006) |
No | No | Yes |
|
Not applicable |
Yes |
Yes | No | No |
Not applicable |
Yes |
|
Is a training offered? |
Léger(2006) |
Yes | Yes | Yes |
Yes |
Not applicable |
No |
Yes | Yes | Yes |
Not applicable |
Yes |
|
At which place? |
Léger(2006) |
Audicta |
Callio |
Insight the U.K. |
Public sector: DCSSI Private sector: ENST, FIDENS, To include/understand & Succeed... |
Not applicable |
Not applicable |
U of Sherbrooke |
CRIM |
Washington cd. and Pittsburg |
Not applicable |
HEC Montreal |
|
At which cost? |
Léger(2006) |
variable |
variable |
variable |
Public sector: free Private sector: to see Web sites |
Not applicable |
Not applicable |
variable |
variable |
5000$ |
Not applicable |
Not applicable |
|
Is the support available? |
Léger(2006) |
Yes | Yes | Yes |
Yes |
Not applicable |
Yes (limited) |
Yes | Yes | Yes |
Not applicable |
No |
|
Where or how? |
Léger(2006) |
Audicta |
In reorganization |
Insight |
Club EBIOS |
Not applicable |
ISF |
Fortier Communications and Technology Partners |
Deloitte CLUSIF, MSG-Quebec |
CERT |
Not applicable |
Not applicable |
|
At which cost? |
Léger(2006) |
variable |
variablble |
variable |
variable |
Not applicable |
Membership |
Not applicable |
variable |
variable |
Not applicable |
Not applicable |
|
Are consultants available who know this methodology? |
Léger(2006) |
Yes | Yes | Yes | Yes | Yes |
No |
Yes | Yes | Yes | No | No |
|
Where or how? |
Léger(2006) |
Audicta |
Bell |
The U.K. |
France, Belgium, Luxembourg, Switzerland |
Multiples |
Not applicable |
Fortier Communications |
Deloitte, Cgi, IBM-LGS |
CGI, IBM-LGS |
Do No know |
Not applicable |
|
At which cost? |
Léger(2006) |
100$-200$hr |
100$-200$hr |
200$hr + displacement |
Variable |
Variablej |
Not applicable |
70$-120$hr |
100$-400$hr |
100-200$hr |
Do No know |
Not applicable |
|
User interface
|
||||||||||||
|
Is the user interface convivial? |
Léger(2006) |
Yes | Yes | No |
Yes |
Not applicable |
Yes |
Yes | No | No |
No |
Yes |
|
Is a WEB or HTML user interface offered? |
Léger(2006) |
No | No | No |
No |
Not applicable |
No |
No | No | No |
No |
Yes |
|
Where? |
Léger(2006) |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
For the seizure of L' information in the questionnaires relating to the risk of impartition http://gresi.hec.ca/bourdeau/ and the risk of establishment of a http://gresi.hec.ca/risque software package |
|
Conceptual model
|
||||||||||||
|
Is methodology supported by a formal model? |
Fortin(2006) |
Yes | Yes | Yes | Yes | Yes |
Yes |
Yes | Yes | Yes | Yes | Yes |
|
If so, which? |
Fortin(2006) |
Owner |
Owner |
BS7799-2 |
Analyze functional, ISO 15408, Guide ISO 73... |
Normalizes by consensus |
Standard Meta S5 |
IVRI |
CLUSIF |
CERT |
RiskIT |
This model is explained in detail in various articles. |
|
Which is the methodological approach? |
Fortin(2006) |
Qualitative | Qualitative | Qualitative | Qualitative | Qualitative |
Not available |
Qualitative | Qualitative & Quantitative | Qualitative | Qualitative | Qualitative |
|
If Qualitative: Is the qualitative method appropriate for the study of the phenomenon in question? |
Fortin(2006) |
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes | Yes |
|
If Qualitative: Is the study centered on the subjective aspect of the human experiment? |
Fortin(2006) |
No | No | No | Yes | No |
Not available |
Yes | No | No | No | No |
|
If Qualitative: Can one distinguish the qualitative method used in the study? |
Fortin(2006) |
No | No | No | No | No |
Not available |
Yes | No | No | No | Yes |
|
How? |
Fortin(2006) |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not available |
Documented like research action |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
|
This model is the result of research work? |
Fortin(2006) |
Yes | Yes | Yes | Yes | No |
Not available |
Yes | Yes | Yes | Yes | Yes |
|
Which? |
Fortin(2006) |
Not available |
Not available |
BSI |
DCSSI, interdepartmental working groups, public markets, then Club EBIOS |
Not available |
Not available |
Not available |
Not available |
Not available |
Not available |
work carried out by Aubert B. A., Barki H., Bernard J-G, Bourdeau, S., Rivard, S., Talbot J (CIRANO) |
|
Is this based on an application of the game theory or decision trees? |
Léger(2006) |
No | No | No | No | No |
Not available |
No | No | Yes | No | No |
|
If so, which? |
Léger(2006) |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not available |
Not applicable |
Not applicable |
Decision trees |
Not applicable |
Not applicable |
|
Is this documented? |
Léger(2006) |
Yes | Yes | No | Yes | No |
Not available |
Yes | Yes | Yes | Yes |
Not applicable |
|
Is this based on simulations? |
Léger(2006) |
No | No | No | No | No |
Not available |
No | No | Yes | No | No |
|
If so, how? |
Léger(2006) |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not available |
Not applicable |
Not applicable |
Not available |
Not applicable |
Not applicable |
|
Analyze of risk
|
||||||||||||
|
Are audits carried out? |
ISO13335-2(2005) |
Yes | Yes | Yes | Yes | No |
Not available |
Yes | Yes | Yes | Yes | No |
|
The process of analysis of the risk identifies, quantifies and priorise the risks by using criteria of acceptance of the risk and objectives relevant with the organization. |
ISO17799(2005) Ch4 | Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes | Yes |
|
The process of analysis of the risk and selection of controls of management is repeated in order to cover the whole of the information systems or the systems in an individual way. |
ISO17799(2005) Ch4 |
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes |
The process of analysis covers the whole of dimensions of the project |
|
The process of analysis of risk integrates a systematic method of estimate magnitude of the informational risks and processes of comparison of the risk with tolerance levels and standards established by the organization (Baseline). |
ISO17799(2005) Ch4 |
Yes | Yes | Yes | Yes | No |
Not available |
No | Yes | Yes | Yes |
The process of just evaluation of risk of the processes of comparison of the risk with tolerance levels establish by the managers of the organization |
|
The process of analysis of the risk is repeated periodically or following significant changes. |
ISO17799(2005) Ch4 |
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes |
It should be repeated at several times during projected. |
|
The process of analysis of the risk is systematic and methodological in order to allow comparable and reproducible results. |
ISO17799 (2005) Ch4 |
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes | Yes |
|
Analyzes of technological vulnerabilities is taken into account? |
ISO13335-2(2005) |
No | No | No | Yes | No |
Not available |
Yes | No | No | No | Yes |
|
The analysis of the informational risk takes place in a well defined context (scope). |
ISO17799 (2005) Ch4 |
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes |
No analysis of the informational risk |
|
The bonds with the analyses of risk in other branches of industry or units of businesses of the organization are defined. |
ISO17799 (2005) Ch4 |
Yes | No | No | Yes | No |
Not available |
No | Yes | Yes | Yes | No |
|
Risk management
|
||||||||||||
|
Does methodology offer formal processes of identification of the threats? |
Léger(2003) |
No | No | No | No | No |
Not available |
No | No? (development of a diagram of audit and identification of the scenario of risk) | No | No | Yes |
|
If so, they are automated? |
Léger(2006) |
No | No | No | No | No |
Not available |
No | No? | No | No | No |
|
Which is the importance of subjectivity in the identification of the threats? |
|
Raised |
Raised |
Raised |
Raised |
Raised |
Not available |
Raised |
Raised
|
Raised |
Raised |
Not applicable |
|
Does methodology offer formal processes of identification of the vulnerabilities? |
Léger(2003) |
No | No | No | Yes | No |
Not available |
Yes | No | No | No | Yes |
|
If so, they are automated? |
Léger(2006) |
Not applicable |
Not applicable |
Not applicable |
No |
Not applicable |
Not available |
No |
Not applicable |
Not applicable |
Not applicable |
Yes - In the case of the projects of establishment of software package and project of impartition |
|
Which is the importance of subjectivity in the identification of the vulnerabilities? |
Léger(2006) |
Average |
Average |
Average |
Raised |
Raised |
Not available |
Subjective analysis |
Average |
Average |
Average |
Average |
|
Which is the approach of calculation of the risk? |
Léger(2006) |
Automatic | Automatic | Automatic | Automatic | No indicated |
Not available |
Automatic | Automatic or based on the metric adjustable ones | Automatic | Automatic | Automatic |
|
How are the probabilities of realization evaluated? |
Léger(2006) |
Since a base of knowledge | Since a base of knowledge | Since a base of knowledge | Responsibility for the trades | List |
Not available |
Subjective
|
Since a base of knowledge (metric) |
Subjective
|
Subjective
|
No indicated |
|
How is the impact evaluated? |
Léger(2006) |
Since a base of knowledge | Since a base of knowledge | Since a base of knowledge | Responsibility for the trades | Subjective |
Not available |
Subjective | Since a base of knowledge (metric) | Subjective | Subjective | Other : The impact is evaluated by the managers |
|
How is the tolerance with the risk measured? |
Léger(2006) |
Since a base of knowledge | Since a base of knowledge | Since a base of knowledge | Decision of the trades | Subjective |
Not available |
Subjective | Since a base of knowledge (metric and level of effectiveness of the services of safety in place) | Subjective | Subjective |
starting from the dimension given by the managers to the impact of each undesirable event |
|
Is Baseline (tolerance level) used? |
Léger(2006) |
Yes | Yes | Yes | No | Yes |
Not available |
Yes | Yes | Yes | Yes | No |
|
How? |
Léger(2006) |
Since a base of knowledge | Since a base of knowledge | Since a base of knowledge |
Not applicable |
Subjective |
Not available |
Subjective | Since a base of knowledge (metric) | Subjective | Subjective |
Not applicable |
|
Does methodology offer formal processes of hierarchisation of the risk? |
Léger(2006) |
Yes | Yes | Yes | Yes | No |
Not available |
No | Yes, of the risk No | Yes | Yes | Yes |
|
If so, is this automated? |
Léger(2006) |
Yes | Yes | Yes | Yes | No |
Not available |
No aplicable |
Yes | Yes | Yes | Yes |
|
Which is the importance of subjectivity in hierarchisation? |
Léger(2006) |
Average |
Average |
Average |
Weak |
Raised |
Not available |
Raised |
Average |
Average |
Average |
depends on the situation of the organization through the evaluation of the managers. |
|
Does methodology offer processes of continuous improvement? |
Léger(2006) |
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes | No |
|
If so, is this cyclic, repetitive? |
Léger(2006) |
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes |
Not applicable |
|
How? |
Léger(2006) |
Cyclic repetition
|
Cyclic repetition
|
Cyclic repetition
|
Adjustments according to the context switches |
Cyclic repetition
|
Not available |
Cyclic repetition
|
Adjustment and automatic calculation of the recovery of the risk by the safety measures |
Cyclic repetition
|
Cyclic repetition
|
Not applicable |
|
Treatment of the risk
|
||||||||||||
|
The treatment of the risk uses organisational criteria to determine the tolerance level and the acceptance of the risk. |
ISO17799 (2005) Ch4 |
Yes | Yes | Yes | Yes | No |
Not available |
No | Yes | Yes | Yes | Yes |
|
Is the cost of measurements of mitigation given? |
Léger(2006) |
Yes | Yes | Yes |
Yes |
No |
Not available |
No | Yes | No | No | No |
|
Are the potential losses given? |
ISO17799 (2005) Ch4 |
Yes | Yes | Yes |
Yes |
No |
Not available |
No | Yes | No | No | No |
|
Is an analysis cost benefit carried out? |
ISO17799 (2005) Ch4 |
Yes | Yes | Yes |
No (informellement) |
No |
Not available |
No | Yes, does No even make really party of the method in it | No | No | No |
|
Is the decision preserved? |
ISO17799 (2005) Ch4 |
Yes | Yes | Yes |
Yes |
No |
Not available |
No | Yes | No | No | No |
|
ISO17799 (2005) Ch4 |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk balance between the costs and the benefit |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk balance between the costs and the benefit |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk balance between the costs and the benefit potential of the element threatening in the beginning of the threat |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk balance between the costs and the benefit |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk balance between the costs and the benefit |
Not available |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the reduction of the risk
|
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk balance between the costs and the benefit All that touches at the cost does No make really party of the method |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk balance between the costs and the benefit |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk balance between the costs and the benefit |
Legal obligations Regulatory obligations Obligations rising from treaties organisational objectives needs for the organization organisational constraints the cost of implementation the cost of exploitation the reduction of the risk
balance between
the costs and the benefit |
|
Can controls be added? |
ISO17799 (2005) Ch4 |
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes | No |
|
Different reference frames can beings used? |
|
Yes | Yes | Yes | Yes | Yes |
Not available |
Yes | Yes | Yes | Yes | No |
|
The treatment of the risks in the projects allows? |
ISO17799 (2005) Ch4 |
Yes | Yes | Yes | Yes | No |
Not available |
Yes | Yes, No obvious like answer | Yes | Yes | Yes |
|
Scales of measurement
|
||||||||||||
|
Which is the scale of measurement used |
Fortin(2006) |
Scale with intervals The intervals between the numbers are equal. The numbers can be added or withdrawn. The numbers are No absolute, because the zero are arbitrary. |
Scale with intervals The intervals between the numbers are equal. The numbers can be added or withdrawn. The numbers are No absolute, because the zero are arbitrary. |
Scale with intervals The intervals between the numbers are equal. The numbers can be added or withdrawn. The numbers are No absolute, because the zero are arbitrary. |
Scale with intervals The intervals between the numbers are equal. The numbers can be added or withdrawn. The numbers are No absolute, because the zero are arbitrary. |
No scales of measurements |
Not available |
Scale with intervals The intervals between the numbers are equal. The numbers can be added or withdrawn. The numbers are No absolute, because the zero are arbitrary. |
Scale with intervals The intervals between the numbers are equal. The numbers can be added or withdrawn. The numbers are No absolute, because the zero are arbitrary. |
Scale with proportions The scale has an absolute zero. The numbers represent real quantities and it is possible to carry out on them all the mathematical operations. |
|
Ordinal scale The objects are classified by order of magnitude. The numbers indicate rows and No quantities. |
|
Is the scale of measurement used adapted to measure the variables of research? |
Fortin(2006) |
Yes | Yes |
|
Yes |
|
Not available |
Yes | Yes | Yes |
|
Yes |
|
Were the measuring instruments used before or were built for the needs for the study? |
Fortin(2006) |
Used before | Used before | Used before |
Used before Built for the needs for the study |
Built for the needs for the study |
Not available |
Used before | Used before | Used before | Built for the needs for the study | Used before |
|
Sampling
|
||||||||||||
|
Which is the type of sampling? |
Fortin(2006) |
No probabilist | No probabilist | No probabilist | No probabilist | No probabilist |
Not available |
No probabilist | No probabilist | No probabilist | No probabilist | No probabilist |
|
How are the subjects selected? |
Fortin(2006) |
Reasoned choice |
Reasoned choice |
Reasoned choice |
Reasoned choice |
Reasoned choice |
Not available |
Described in the method. |
Reasoned choice |
Reasoned choice |
Reasoned choice |
The subjects are selected according to their function in the organization and their capacity to evaluate the things in a suitable way for the organization |
|
Saturation of the data
|
||||||||||||
|
Are there processes places from there to ensure the saturation of the data? |
Fortin(2006) |
No | No | No | No | No |
Not available |
No | No | No | No | Yes |
|
Which? |
Fortin(2006) |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not available |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
The whole of the people concerned are integrated in the study |
|
Interviews
|
||||||||||||
|
Is the method of collection and recording of the data clearly specified? |
Fortin(2006) |
Yes | Yes | Yes | Yes | No |
Not available |
Yes | Yes | Yes | Yes | Yes |
|
Does the method clearly describe the way in which the participants are selected? |
Fortin(2006) |
Yes | Yes | Yes | Yes | No |
Not available |
Yes | Yes | Yes | Yes | Yes |
|
Fidelity of the measuring instrument
|
||||||||||||
|
Does one find information on the fidelity of the measuring instruments? |
Fortin(2006) |
No | No | No | No | No |
Not available |
Yes | No | No | No | Yes |
|
If so, which type of fidelity and how the author does it interpret was analyzed the results of the examination of fidelity? |
Fortin(2006) |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not available |
Stability (test-retest) Internal consistency fidelity inter judges |
Not applicable |
Not applicable |
Not applicable |
Not available |
|
Validity of the measuring instrument
|
||||||||||||
|
Does one find information on the validity of the measuring instruments? |
Fortin(2006) |
No | No | No | No | No |
Not available |
Yes | No | No | No | Yes |
|
If so, which type of validity was analyzed? |
Fortin(2006) |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Not available |
Validity of contents Validity related to the criterion <<<<<<<< snip >>>>>>>> | ||||
This table is explained here