This table is explained here


 

Criterion


 


 

Source of the criterion


 

Audicta


 


 

Callio Secura


 


 

CRAMM


 

ÉBIOS


 


 

ISO 13335-2


 


 

IRAM


 


 

IVRI


 


 

MÉHARI


 


 

OCTAVE


 


 

RiskIT


 


 

RiskPro

Is this the first version?

Léger(2006)

No No No No No Yes No No No Yes No

Version:

Léger(2006)


 


 

5.1

2


 

No yet available

2.1


 


 


 

The tool was re-examined in 2004.

Source or distributor:

Léger(2006)

Audicta - Medical technologies

Callio

Insight (Siemens)

DCSSI and Club EBIOS

ISO

GAC-BNF

MA Leger

Clusif

CERT

R&D-Ware OY

HEC - CIRANO

Coordinates:

Léger(2006)

www.audicta.net www.callio.com www.insight.co.uk www.ssi.gouv.fr www.iso.ch

www.Securityforum.org

www.leger.ca www.clusif.asso.fr www.cert.org www.rdware.com http://gresi.hec.ca

Are there data available on the number of users or licences sold?

Léger(2006)

No No No Yes No

No

No No No No

No

If so, which is it?

Léger(2006)

Do No know

Do No know

Do No know

+2500

Do No know

Do No know

Do No know

Do No know

Do No know

Do No know

Do No know

Which type of methodology?

Léger(2006)

Management of risk Management of risk Management of risk Management of risk

Management of risk


 

Analyze of risk

Analyze of risk


 

Management of risk

Analyze of risk


 

Analyze of risk


 

Others: evaluation and measurement of the risks

Is methodology documented?

Léger(2006)

Yes Yes Yes Yes Yes

Yes

Yes Yes Yes Yes No

Is documentation available in French?

Léger(2006)

Yes Yes No Yes No

No

Yes Yes No Yes Yes

It is accompanied by tools?

Léger(2006)

Yes Yes Yes

Yes

No

Yes

Yes Yes Yes No Yes

Which?

Léger(2006)

Audicta

Secura 7799

Expert Cramm

Free software EBIOS

Not applicable

IRAM

Excel File

Risicare

CERT

Not applicable

Questionnaire of evaluation of the risk of impartition

Questionnaire of evaluation of the risk of establishment of a software package

Are the tools available in French?

Léger(2006)

Yes Yes No

Yes

Not applicable

No

Yes Yes No

Not applicable

Yes

Which is the cost?

Léger(2006)

20000$

7000-12000$

5000$

Free

200$

Available to the Members of the ISF (50000$)

Free - open licence

3000-10000$

5000$

Not applicable

Free

Are the tools multi users?

Léger(2006)

Yes Yes Yes

Yes

Not applicable

No

No No No

Not applicable

Yes

If so, do they integrate Workflow?

Léger(2006)

Yes Yes Yes

No

Not applicable

No

No No Yes

Not applicable

No

They integrate access controls

Léger(2006)

Yes Yes Yes

Yes

Not applicable

No

No No Yes

Not applicable

Yes

Is it convivial?

Léger(2006)

No No Yes


 

Not applicable

Yes

Yes No No

Not applicable

Yes

Is a training offered?

Léger(2006)

Yes Yes Yes

Yes

Not applicable

No

Yes Yes Yes

Not applicable

Yes

At which place?

Léger(2006)

Audicta

Callio

Insight the U.K.

Public sector: DCSSI

Private sector: ENST, FIDENS, To include/understand & Succeed...

Not applicable

Not applicable

U of Sherbrooke

CRIM

Washington cd. and Pittsburg

Not applicable

HEC Montreal

At which cost?

Léger(2006)

variable

variable

variable

Public sector: free

Private sector: to see Web sites

Not applicable

Not applicable

variable

variable

5000$

Not applicable

Not applicable

Is the support available?

Léger(2006)

Yes Yes Yes

Yes

Not applicable

Yes (limited)

Yes Yes Yes

Not applicable

No

Where or how?

Léger(2006)

Audicta

In reorganization

Insight

Club EBIOS

Not applicable

ISF

Fortier Communications and Technology Partners

Deloitte CLUSIF, MSG-Quebec

CERT

Not applicable

Not applicable

At which cost?

Léger(2006)

variable

variablble

variable

variable

Not applicable

Membership

Not applicable

variable

variable

Not applicable

Not applicable

Are consultants available who know this methodology?

Léger(2006)

Yes Yes Yes Yes Yes

No

Yes Yes Yes No No

Where or how?

Léger(2006)

Audicta

Bell

The U.K.

France, Belgium, Luxembourg, Switzerland

Multiples

Not applicable

Fortier Communications

Deloitte, Cgi, IBM-LGS

CGI, IBM-LGS

Do No know

Not applicable

At which cost?

Léger(2006)

100$-200$hr

100$-200$hr

200$hr + displacement

Variable

Variablej

Not applicable

70$-120$hr

100$-400$hr

100-200$hr

Do No know

Not applicable


 

User interface


 

Is the user interface convivial?

Léger(2006)

Yes Yes No

Yes

Not applicable

Yes

Yes No No

No

Yes

Is a WEB or HTML user interface offered?

Léger(2006)

No No No

No

Not applicable

No

No No No

No

Yes

Where?

Léger(2006)

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

For the seizure of L' information in the questionnaires relating to the risk of impartition http://gresi.hec.ca/bourdeau/ and the risk of establishment of a http://gresi.hec.ca/risque software package


 

Conceptual model


 

Is methodology supported by a formal model?

Fortin(2006)

Yes Yes Yes Yes Yes

Yes

Yes Yes Yes Yes Yes

If so, which?

Fortin(2006)

Owner

Owner

BS7799-2

Analyze functional, ISO 15408, Guide ISO 73...

Normalizes by consensus

Standard Meta S5

IVRI

CLUSIF

CERT

RiskIT

This model is explained in detail in various articles.

Which is the methodological approach?

Fortin(2006)

Qualitative Qualitative Qualitative Qualitative Qualitative

Not available

Qualitative Qualitative & Quantitative Qualitative Qualitative Qualitative

If Qualitative: Is the qualitative method appropriate for the study of the phenomenon in question?

Fortin(2006)

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes Yes

If Qualitative: Is the study centered on the subjective aspect of the human experiment?

Fortin(2006)

No No No Yes No

Not available

Yes No No No No

If Qualitative: Can one distinguish the qualitative method used in the study?

Fortin(2006)

No No No No No

Not available

Yes No No No Yes

How?

Fortin(2006)

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not available

Documented like research action

Not applicable

Not applicable

Not applicable

Not applicable

This model is the result of research work?

Fortin(2006)

Yes Yes Yes Yes No

Not available

Yes Yes Yes Yes Yes

Which?

Fortin(2006)

Not available

Not available

BSI

DCSSI, interdepartmental working groups, public markets, then Club EBIOS

Not available

Not available

Not available

Not available

Not available

Not available

work carried out by Aubert B. A., Barki H., Bernard J-G, Bourdeau, S., Rivard, S., Talbot J (CIRANO)

Is this based on an application of the game theory or decision trees?

Léger(2006)

No No No No No

Not available

No No Yes No No

If so, which?

Léger(2006)

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not available

Not applicable

Not applicable

Decision trees

Not applicable

Not applicable

Is this documented?

Léger(2006)

Yes Yes No Yes No

Not available

Yes Yes Yes Yes

Not applicable

Is this based on simulations?

Léger(2006)

No No No No No

Not available

No No Yes No No

If so, how?

Léger(2006)

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not available

Not applicable

Not applicable

Not available

Not applicable

Not applicable


 

Analyze of risk


 

Are audits carried out?

ISO13335-2(2005)

Yes Yes Yes Yes No

Not available

Yes Yes Yes Yes No

The process of analysis of the risk identifies, quantifies and priorise the risks by using criteria of acceptance of the risk and objectives relevant with the organization.

ISO17799(2005) Ch4 Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes Yes

The process of analysis of the risk and selection of controls of management is repeated in order to cover the whole of the information systems or the systems in an individual way.

ISO17799(2005) Ch4

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes

The process of analysis covers the whole of dimensions of the project

The process of analysis of risk integrates a systematic method of estimate magnitude of the informational risks and processes of comparison of the risk with tolerance levels and standards established by the organization (Baseline).

ISO17799(2005) Ch4

Yes Yes Yes Yes No

Not available

No Yes Yes Yes

The process of just evaluation of risk of the processes of comparison of the risk with tolerance levels establish by the managers of the organization

The process of analysis of the risk is repeated periodically or following significant changes.

ISO17799(2005) Ch4

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes

It should be repeated at several times during projected.

The process of analysis of the risk is systematic and methodological in order to allow comparable and reproducible results.

ISO17799 (2005) Ch4

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes Yes

Analyzes of technological vulnerabilities is taken into account?

ISO13335-2(2005)

No No No Yes No

Not available

Yes No No No Yes

The analysis of the informational risk takes place in a well defined context (scope).

ISO17799 (2005) Ch4

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes

No analysis of the informational risk

The bonds with the analyses of risk in other branches of industry or units of businesses of the organization are defined.

ISO17799 (2005) Ch4

Yes No No Yes No

Not available

No Yes Yes Yes No


 

Risk management


 

Does methodology offer formal processes of identification of the threats?

Léger(2003)

No No No No No

Not available

No No? (development of a diagram of audit and identification of the scenario of risk) No No Yes

If so, they are automated?

Léger(2006)

No No No No No

Not available

No No? No No No

Which is the importance of subjectivity in the identification of the threats?


 

Raised

Raised

Raised

Raised

Raised

Not available

Raised

Raised


 

Raised

Raised

Not applicable

Does methodology offer formal processes of identification of the vulnerabilities?

Léger(2003)

No No No Yes No

Not available

Yes No No No Yes

If so, they are automated?

Léger(2006)

Not applicable

Not applicable

Not applicable

No

Not applicable

Not available

No

Not applicable

Not applicable

Not applicable

Yes - In the case of the projects of establishment of software package and project of impartition

Which is the importance of subjectivity in the identification of the vulnerabilities?

Léger(2006)

Average

Average

Average

Raised

Raised

Not available

Subjective analysis

Average

Average

Average

Average

Which is the approach of calculation of the risk?

Léger(2006)

Automatic Automatic Automatic Automatic No indicated

Not available

Automatic Automatic or based on the metric adjustable ones Automatic Automatic Automatic

How are the probabilities of realization evaluated?

Léger(2006)

Since a base of knowledge Since a base of knowledge Since a base of knowledge Responsibility for the trades List

Not available

Subjective


 

Since a base of knowledge (metric)

Subjective


 

Subjective


 

No indicated

How is the impact evaluated?

Léger(2006)

Since a base of knowledge Since a base of knowledge Since a base of knowledge Responsibility for the trades Subjective

Not available

Subjective Since a base of knowledge (metric) Subjective Subjective Other : The impact is evaluated by the managers

How is the tolerance with the risk measured?

Léger(2006)

Since a base of knowledge Since a base of knowledge Since a base of knowledge Decision of the trades Subjective

Not available

Subjective Since a base of knowledge (metric and level of effectiveness of the services of safety in place) Subjective Subjective

starting from the dimension given by the managers to the impact of each undesirable event

Is Baseline (tolerance level) used?

Léger(2006)

Yes Yes Yes No Yes

Not available

Yes Yes Yes Yes No

How?

Léger(2006)

Since a base of knowledge Since a base of knowledge Since a base of knowledge

Not applicable

Subjective

Not available

Subjective Since a base of knowledge (metric) Subjective Subjective

Not applicable

Does methodology offer formal processes of hierarchisation of the risk?

Léger(2006)

Yes Yes Yes Yes No

Not available

No Yes, of the risk No Yes Yes Yes

If so, is this automated?

Léger(2006)

Yes Yes Yes Yes No

Not available

No aplicable

Yes Yes Yes Yes

Which is the importance of subjectivity in hierarchisation?

Léger(2006)

Average

Average

Average

Weak

Raised

Not available

Raised

Average

Average

Average

depends on the situation of the organization through the evaluation of the managers.

Does methodology offer processes of continuous improvement?

Léger(2006)

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes No

If so, is this cyclic, repetitive?

Léger(2006)

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes

Not applicable

How?

Léger(2006)

Cyclic repetition


 

Cyclic repetition


 

Cyclic repetition


 

Adjustments according to the context switches

Cyclic repetition


 

Not available

Cyclic repetition


 

Adjustment and automatic calculation of the recovery of the risk by the safety measures

Cyclic repetition


 

Cyclic repetition


 

Not applicable


 

Treatment of the risk


 

The treatment of the risk uses organisational criteria to determine the tolerance level and the acceptance of the risk.

ISO17799 (2005) Ch4

Yes Yes Yes Yes No

Not available

No Yes Yes Yes Yes

Is the cost of measurements of mitigation given?

Léger(2006)

Yes Yes Yes

Yes

No

Not available

No Yes No No No

Are the potential losses given?

ISO17799 (2005) Ch4

Yes Yes Yes

Yes

No

Not available

No Yes No No No

Is an analysis cost benefit carried out?

ISO17799 (2005) Ch4

Yes Yes Yes

No (informellement)

No

Not available

No Yes, does No even make really party of the method in it No No No

Is the decision preserved?

ISO17799 (2005) Ch4

Yes Yes Yes

Yes

No

Not available

No Yes No No No
  1. The choice of measurements of mitigation takes into account the following objectives and needs:

ISO17799 (2005) Ch4

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit

potential of the element threatening in the beginning of the threat

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit

Not available

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the reduction of the risk


 

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit

All that touches at the cost does No make really party of the method

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit

Legal obligations

Regulatory obligations

Obligations rising from treaties

organisational objectives

needs for the organization

organisational constraints

the cost of implementation

the cost of exploitation

the reduction of the risk

balance between the costs and the benefit
Others: The proposal for measurements of mitigation is No automated, it will hold account of the dimensions considered as important for the organization concerned

Can controls be added?

ISO17799 (2005) Ch4

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes No

Different reference frames can beings used?


 

Yes Yes Yes Yes Yes

Not available

Yes Yes Yes Yes No

The treatment of the risks in the projects allows?

ISO17799 (2005) Ch4

Yes Yes Yes Yes No

Not available

Yes Yes, No obvious like answer Yes Yes Yes


 

Scales of measurement


 

Which is the scale of measurement used

Fortin(2006)

Scale with intervals

The intervals between the numbers are equal.

The numbers can be added or withdrawn.

The numbers are No absolute, because the zero are arbitrary.

Scale with intervals

The intervals between the numbers are equal.

The numbers can be added or withdrawn.

The numbers are No absolute, because the zero are arbitrary.

Scale with intervals

The intervals between the numbers are equal.

The numbers can be added or withdrawn.

The numbers are No absolute, because the zero are arbitrary.

Scale with intervals

The intervals between the numbers are equal.

The numbers can be added or withdrawn.

The numbers are No absolute, because the zero are arbitrary.

No scales of measurements

Not available

Scale with intervals

The intervals between the numbers are equal.

The numbers can be added or withdrawn.

The numbers are No absolute, because the zero are arbitrary.

Scale with intervals

The intervals between the numbers are equal.

The numbers can be added or withdrawn.

The numbers are No absolute, because the zero are arbitrary.

Scale with proportions

The scale has an absolute zero.

The numbers represent real quantities and it is possible to carry out on them all the mathematical operations.


 

Ordinal scale

The objects are classified by order of magnitude.

The numbers indicate rows and No quantities.

Is the scale of measurement used adapted to measure the variables of research?

Fortin(2006)

Yes Yes


 

Yes


 

Not available

Yes Yes Yes


 

Yes

Were the measuring instruments used before or were built for the needs for the study?

Fortin(2006)

Used before Used before Used before

Used before

Built for the needs for the study

Built for the needs for the study

Not available

Used before Used before Used before Built for the needs for the study Used before


 

Sampling


 

Which is the type of sampling?

Fortin(2006)

No probabilist No probabilist No probabilist No probabilist No probabilist

Not available

No probabilist No probabilist No probabilist No probabilist No probabilist

How are the subjects selected?

Fortin(2006)

Reasoned choice

Reasoned choice

Reasoned choice

Reasoned choice

Reasoned choice

Not available

Described in the method.

Reasoned choice

Reasoned choice

Reasoned choice

The subjects are selected according to their function in the organization and their capacity to evaluate the things in a suitable way for the organization


 

Saturation of the data


 

Are there processes places from there to ensure the saturation of the data?

Fortin(2006)

No No No No No

Not available

No No No No Yes

Which?

Fortin(2006)

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not available

Not applicable

Not applicable

Not applicable

Not applicable

The whole of the people concerned are integrated in the study


 

Interviews


 

Is the method of collection and recording of the data clearly specified?

Fortin(2006)

Yes Yes Yes Yes No

Not available

Yes Yes Yes Yes Yes

Does the method clearly describe the way in which the participants are selected?

Fortin(2006)

Yes Yes Yes Yes No

Not available

Yes Yes Yes Yes Yes


 

Fidelity of the measuring instrument


 

Does one find information on the fidelity of the measuring instruments?

Fortin(2006)

No No No No No

Not available

Yes No No No Yes

If so, which type of fidelity and how the author does it interpret was analyzed the results of the examination of fidelity?

Fortin(2006)

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not available

Stability (test-retest)

Internal consistency

fidelity inter judges

Not applicable

Not applicable

Not applicable

Not available


 

Validity of the measuring instrument


 

Does one find information on the validity of the measuring instruments?

Fortin(2006)

No No No No No

Not available

Yes No No No Yes

If so, which type of validity was analyzed?

Fortin(2006)

Not applicable

Not applicable

Not applicable

Not applicable

Not applicable

Not available

Validity of contents

Validity related to the criterion

<<<<<<<< snip >>>>>>>>

This table is explained here