Many organization’s we have been speaking with lately have begun the process of risk management in an effort to formalize information assurance programs. For many organizations this is a new step and involves uncertainty. One of the biggest questions we get when talking with companies is: what risk assessment models are there to choose from?

Certainly the catalog of potential methods is long and every practitioner we know seems to have a preference for a particular risk management methodology. Certainly we don’t want to start any wars over this, but we do want people to understand what some of their options are. So we’ve been compiling a list of some of the more popular methodologies that we’ve seen companies implementing.

In no particular order, here are some of the more popular methods we’ve seen companies using:

  1. Single Loss Expectancy (SLE) / Annualized Loss Expectancy (ALE)
  2. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  3. National Institute of Standards & Technology (NIST) Special Publications 800 Series
  4. ISO 27005 Risk Management Methodology
  5. Factor Analysis of Information Risk (FAIR)
  6. Microsoft STRIDE & DREAD
  7. Guide to the Assessment of IT Risk (GAIT)
  8. Failure Modes and Effects Analysis (FMEA)
  9. Failure Modes, Effects and Criticality Analysis (FMECA)
  10. Cause Consequence Analysis (CCA)
  11. Modeling & Analysis of Safety and Risk in Complex Systems (MASR)
  12. Open Governance, Risk and Compliance Maturity Management Methodology (OGRCM3)
  13. Open Risk Model Repository (ORIMOR)

Does this mean that all the companies we deal with choose one of these methods – of course not! Most companies we meet choose a personalized method that customizes aspects from multiple models in order to create a model that works best for them. Of course there’s nothing wrong with that either. We just hope that by understanding some of your choices that you’ll be able to make a better decision which model is best for you.

The best risk management model will always be the one that helps you and your organization to achieve your goals.