14

I've heard of FAIR, and that seems pretty great.

What other methodologies are there? How do they work?
What are their benefits, and their drawbacks compared to others?
When is each appropriate?

From another Area51 proposal.

Improve this question

3 Answers 3

Reset to default
6

The fundamental deference between the two methodologies is that GAIT is qualitative while FAIR is quantitative. Bottom line, GAIT is another one of those methods such as SAS70, SOX, Cobit and the rest that will end up to be a checklist exercise that will tell you nothing about your security or what the monetary value of your IT risk is.

Improve this answer
7

I suggest reading Krag Brotby's Information Security Management Metrics book for coverage of most of the relevant risk analysis frameworks that are usually tailored to a specific kind of risk (e.g. financial analysis for information security management programs or risk management programs could use ROSI, ALE/SLE, VAR, cost-effectiveness, etc).

I also suggest looking at FISAP and IIA GAIT

Improve this answer
0

+1 for GAIT. Definitely recommend a good look at it!

Improve this answer
1
  • Have link? How does it compare to FAIR? Commented Dec 20, 2010 at 9:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.