Common Methods for Security Risk Analysis


  1. Malboeuf, S.
  2. Sandberg-Maitland, W.
  3. Dziadyk, W.
  4. Bacic, E.
Corporate Authors
Defence R&D Canada - Ottawa, Ottawa ONT (CAN);Cinnabar Networks, Ottawa Ont (CAN)
This document is the results of a study conducted to document the state of the Canadian risk management. The study provides a history of Canada’ initiatives with respect to risk management and investigates how Canada can augment the Working Group with its experiences and its future initiatives and opportunities. In addition, the study presents a comparison between the prevalent Canadian threat and risk assessment methodology (ITSG 04) and the recommendations of the National Institute of Standards and Technology Risk Management Guide for Information Technology Systems (NIST 800-30). Substantial evolution of risk management has occurred in the past few years, but the tools and documentation have been a significant impediment on further development. There is a definite need to standardize the TRA process and provide system owners with a useful and consistent tool to evaluate the risks to information and IT systems. The approach to a common framework is emphasized by the need for a common language. The provision of a shared set of concepts and vocabulary can only help unify the disparate terminologies that variant TRA approaches and methodologies have engendered. Equally valuable is the prospective TRA automation or partial automation. Automated tools were premature in the early days when risk management was first introduced. Practitioners have gained expertise and experience in the conduct of TRA. It is recognized that human intervention will most likely be required in any aut
Report Number
DRDC-OTTAWA-CR-2004-247 — Contractor Report
Date of publication
01 Dec 2004
Number of Pages

Permanent link

Document 1 of 1

Date modified: