Question - Risk Mg methodology: OCTAVE

Anyone into this?

on top of @jonas.von.scholten ?

Nope. Interestingly enough though, we had an annual assessment performed, and the consulting firm used the NIST Program Review for Information Security Management Assistance (PRISMA) model:

Octave allegro is more commonly used than octave. You should be looking at ISO 27005 and FAIR as even more common. There is a good guide to integrating them at

I was just going to suggest FAIR or FAIR Basic. FAIR requires a Monte Carlo simulator which maybe a lot to ask of Eramba right now but that would be awesome. FAIR Basic is semi-quantitative and would probably fit in Eramba using the Very Low to Very High level classification. “Managing and Measuring Information Risk”" by Jack Freund is a great resource for both. FAIR is the OpenGroup approved method and is definitely becoming the new gold standard in information risk management.

We are looking at including additional “risk calculation” methods in eramba, right after we complete the workflows project (hopefully two to three weeks from now).

We used ISO methods for years and I guess we closed ourselves a bit too much into that and missed other methods. Can we summarise a few popular options as:

  • NIST
  • Octave Allegro
  • FAIR

We’ll be looking at them and how feasible is to “Plug” them into eramba.

Thanks again!!