Comparison between MONARC and different Risk Management Methods (2024)

1. MONARC

1.1Description

MONARC (in French: “Méthode Optimisée d’aNAlyse des Risques CASES”) simplifies risk management by offering a risk management solution as well as information security governance, based on industry standards. It allows analysis from existing and customisable models to be made in a short amount of time, while remaining compliant with the ISO/IEC 27005:2011 internationalstandard.

MONARC is based on a library of risk models offering objects made of risk scenarios by assets or groups of assets. This approach simplify the management of the most common risks and increase objectivity as well as efficiency. As MONARC is completely repeatable, these results can be intensified and adjusted to the maturity of each organisation by increasing the depth of riskscenarios.

The MONARC risk analysis method is composed of fourphases:

** Context Establishment**

The first step is to take stock of the context, challenges and priorities of the company or organization that wishes to analyse its risks. This particularly serves to identify key activities and critical processes of the business in order to guide the risk analysis towards the most important elements. To do this, a kick-off meeting is organized with the members of the management and key persons. The goal is to know what makes the company «live» and what could destroy it, to identify the key processes, the internal and external threats as well as organisational, technical and humanvulnerabilities.

** Context Modelling**

This phase includes the modelling of objects and trees. The assets were identified in the previous phase. They must now be detailed and formalised in a diagram that displays theirinterdependencies.

Impacts are defined at the level of the primary assets (processes or information), following the information gathered in the context establishment phase. The secondary assets inherit the impact of the primary asset to which they are attached (object tree).The impact level of the secondary assets can be modifiedmanually.

** Evaluation and treatment of risks**

The assessment consists of quantifying the threats, vulnerabilities and impacts in order to calculate therisks.

To do this, it is necessary to have reliable information about the exact likelihood of the threats, the ease of exploitation of vulnerabilities and potential impacts; hence the need to rely on metrics that have been validated byexperts.

When the risk assessment identifies a risk that is higher than the acceptable level (risk acceptance grid), risk treatment measures should be implemented in order to reduce the risk down to an acceptablelevel.

** Implementation and monitoring**

When the first treatment of risks has been carried out, an ongoing management phase with security monitoring and recurring control of security measures must be entered, in order to improve it in a sustainableway.

This fourth phase also allows to continuously optimising the security by increasing the detail of objects used and by expanding the scope of the riskanalysis.

1.2 MONARC Vs ISO27005:2011

The four phases of MONARC fully respect the ISO/IEC 27005:2011 international standard, which contains the guidelines for risk management as related to information security. A comparison with MONARC is displayedbelow:

1.3 MONARCTool

The tool associated with MONARC allows access to the knowledge bases, as well as modifying and sharing them. MONARC provides export and import features, so that users can easily exchange riskmodels.

The tool also allows a very great modelling feature with “Drag & Drop” function. The proposed hierarchical structure is very simple to use. This is a great advantage as it simplifies the implementation of the changes in the model at eachiteration.

2. ISO31000

2.1Description

ISO 31000: 2009 (“Risk management – Principles and guidelines”) is intended to harmonize risk management processes with existing and future standards. It provides guidelines on how to organize and manage effectively all kinds of risks in all kinds oforganizations.

ISO 31000:2009 introduce a new definition of risk, abandons the technical vision (“risk is the combination of event probability and its consequence“) to link risks with the objectives of the organization: “Risk is the effect of uncertainty on objectives“. This definition is more in line with the management point ofview.

** Structure of the standard**

The standard is structured in threeparts:

1. The principles answer the question of why risk management is done. The process of integrating these principles takes place at two levels: the decision-making level and the operationallevel.

2. The organizational framework explains how to integrate risk management into the strategy of the organization (strategic management) via the iterative process of the Deming wheel(Plan-Do-Check-Act).

3. The management process specifies how to integrate risk management at the operationallevel

** What is not ISO 31000?**

A certificate standard that provides detailed instructions: ISO 31000 only provides the general principles of risk management and highlights the framework and processes that should be implemented. Only 24 pages to describe thenorm.

2.2 ISO 31000 vs. MONARC

ISO 31000 describes how to approach risk management strategically and understandable; and does not offer any specific advice about information security risk assessment nor risk treatment. From a technical point of view, ISO 31000 lists various risk management processes without a completedescription.

MONARC gives guidelines for information security risk assessment and treatment, it gives the “know-how” to identify assets, threats and vulnerabilities, to assess impact, consequences and probability in order to calculaterisk.

MONARC is compliant with ISO31000.

3. ISO27005:2011

3.1Description

ISO/IEC 27005:2011 (“Information technology — Security techniques — Information security risk management (second edition)”).

ISO 27005 provides an iterative framework compliant with ISO 27001 and set of processes for effective risk management. Half of the standard are appendices that provide examples and very useful information to help the user implement themethod.

ISO 27005 is only dedicated to risk management in information security domain. It proposes either qualitative or quantitative risk management and does not advise any methods ortools.

ISO 27005 refers to the ISO 31000 risk management process, but provides much more detail and implementationguidance.

As shown in the figure below, there are some differences, especially “decision points”, which are added to possibly refine the risk assessment and the risk treatment stages.There is also an additional risk acceptance process. It ensures that residual risks are explicitly accepted by the management of the organization. This is particularly important in a situation where the implementation of controls is omitted orpostponed.

3.2 ISO 27005 vs. MONARC

MONARC is fully compliant with ISO27005.

ISO 27005 is dedicated to information risks. MONARC can also manage operational risks for which, the risk treatment is done directly on reputation, operation, legal, financial criterias. The impact to the person can also be considered (in particular for the GDPR).

ISO 27005 gives the choice to use a qualitative or quantitative method, MONARC is a purely qualitativemethod.

The free software provided with MONARC allows to extend the risk management up to the monitoring of the implementation of the securitymeasures.

4. MAGERIT

4.1Description

MAGERIT (in Spanish: “Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información”) is a method for risk analysis and management for information systems, developed by the Spanish ministry of publicadministrations.

This method provides a management framework and a structured approach to risk management in accordance with ISO27005.

The method provides valuable knowledge databases based on assets, threats and security measures, as well as different techniques to conduct qualitative or quantitative riskanalyzes.

The analysis approach is structured into three main parts: planning, risk analysis and riskmanagement.

The distinctive characteristic of the method lies in the modelling of assets which takes into account the dependencies between assets. Dependency values are used to calculate asset degradation values. The impact criteria used for this inheritance link are confidentiality, integrity, availability, authenticity and accountability.When calculating the potential impact, 3 values areconsidered:

• the accumulated impact (depending on thedependencies)
• the deflected impact (intrinsicvalue)
• the aggregated impact (aggregation of impactvalues)

These three types of impacts make it possible to calculate the three associated risks (minimum, median, max…)

The analysis approach is asfollows:

** Identification of assets**

• Information and services are upperassets.
• Other assets are lower assets (types of assets are given by the method and structured intolayers).

** Dependency building**

Assets are organized into a hierarchical tree structure. An upper asset depends on all lowerassets.

** Asset valuation**

Lower assets in the dependencies diagram are said accumulating the value of the assets supported by them. The value may be its own or may beaccumulated.

** Identification and valuation of threats**

Magerit gives a list of typical threats according to a relationship between the types ofasset.

** Determination of impact**

Its own plus the accumulated value of the assets that depend onit.

** Determination of the risk**

Being aware of the threat’s impact to the assets, the risk can be derived directly simply by taking into account the frequency ofoccurrence.

** Safeguards**

Reducing the frequency of threats and/or impact limitations. Calculation of the residualrisk.

4.2 Magerit vs. MONARC

Magerit gives the choice to use a qualitative or quantitative method, MONARC is only a qualitativemethod.

Magerit uses 5 dimensions for impact criteria: confidentiality, integrity, availability, authenticity and traceability. MONARC only uses 3 dimensions, but provides the direct consequences on the ROLFP criteria, (Reputation, Operation, Legal, Financial, to thePerson)

ISO 27005 is dedicated to information risks. MONARC can also manage operationalrisks.

The hierarchical model of the assets for the two methods is verysimilar:

• With Magerit the inherited values of the three types of impacts are set up in the links ofdependence.
• With MONARC, dependency inheritance is always 100% by default, but it is possible to redefine the impact at each level of thehierarchy.

There is another big difference between Magerit and MONARC in order to calculate therisk:

• Version v1.0 of Magerit introduced the notion of vulnerability. In v3.0, this notion is replaced by the degradation (amount of damage to the [asset value]) that is a threatparameter.
• MONARC uses the concept of asset vulnerability that is related to the security measures in place andthreats.

Depending on the situation, it is easier to check the security measure in place than evaluated the damage to anasset.

The two methods have a tool associated. The tool for MONARC isfree.

5. OCTAVE

5.1Description

OCTAVE® (“Operationally Critical Threat, Asset, and Vulnerability Evaluation”) is a risk-assessmentmethod.

There are 3 versions of the OCTAVE method that address organizations of different sizes. The latest up-to-date version based on the first two is called OCTAVEAllegro.

The method consists in a series of workshops conducted and facilitated by an interdisciplinary analysis team drawn from business units throughout theorganization.

Structure of the method: There are four distinct areas of activity that are carried out through eight steps inworkshop-style.

For each step, the method proposes predefined questionnaires and worksheets in order to collect information in a structuredway.

** Establish risk measurement criteria**

• Definition of a qualitative set of measures (risk measurementcriteria).
• Prioritization of the impact areas from most important to leastimportant.

** Develop an information asset profile**

• Identification of a collection of informationassets.
• Evaluation of impact, if information is disclosed, modified, destroyed…
• Collection of the necessary information in order to begin the structured risk assessment process (scope, owner, impact criteria, securityrequirements).

** Identify information asset containers**

• Identification of asset containers (supporting asset: hardware, software, people …) either inside or outside of theorganization.

** Identify areas of concern**

• Identification of areas of concern each of the containers that have beenlisted.
• Documentation of each area of concern that has beenidentified.
• Creation of threatscenarios.

** Identify threat scenarios**

• Identification of additional threatscenarios:

• A tree structure is used to visually represent a range of threatscenarios.

• Threat scenarios questionnaires arereviewed.

** Identify risks**

• Determine how threat scenarios that have been recorded on each information asset risk worksheet could affect yourorganization.

** Analyse risks**

• According to risk measurement criteria: Evaluation of the consequences relative to each of the impactareas.
• Calculation of a score for eachrisk.

** Select Mitigation Approach**

• Mitigation of the risk (accept, mitigate ordefer).
• Categorization of risks (riskmatrix).
• Assignation of a mitigation approach to each of yourrisks.

5.2 OCTAVE vs. MONARC

OCTAVE does not require the use of any tool for a first iteration of risk analysis. MONARC method is closely attached to thetool.

The identification of threats and threat scenarios is highly dependent on the skills of those involved in OCTAVE. MONARC has knowledge databases that provide default relationships between assets andthreats. 

6. EBIOS

6.1Description

EBIOS (in French: “Expression des Besoins et Identification des Objectifs de Sécurité”) is a method of risks management and risks assessment of the Frenchgovernment.

The EBIOS method complies with the requirements of the main information security standards: ISO 31000 and ISO 27005, allows implementing ISO 27001, and exploiting controls of ISO27002.

The method is rigorous and exhaustive as the tool that guides the user step by step, without the possibility of bypassing anystep.

Risk models are based on the relationship between primary and asset assets. The tool provides comprehensive basic knowledge on media assets, threats,vulnerabilities…

The method follows the belowsteps:

** Context study**

• Definition of the context and risk management framework, metrics and scope ofstudy.
• Identifying essential assets and mapping the supporting assets on which they arebased.

** Study of feared events**

• Identification of security requirements in terms of availability, integrity,confidentiality.
• Identification of impacts: Reputation, operation, legal, financial…

** Threat scenario study**

• Identification and assessment of riskscenarios.
• Study of threats and sources of threats and exploitablevulnerabilities.

** Risk study**

• Matching risks and feared events to threatscenarios.
• Riskassessment.
• Identification of the security objective’s to be met in order to address therisks.

** Study of security measures**

• Treatment ofrisks.
• Validation of risk treatment and residualrisks.
• Planning for implementing securitymeasures.

The tool offers many deliverable solutions, according to the objectives of theusers.

6.2 EBIOS vs. MONARC

The two methods are rather opposite, one proposes a structured and exhaustive approach (sometimes long and complicated), the other proposes a faster approach, based on small iterations that allow rapid evolutions. Software takeover time is not comparable atall.

Both tools offer an assisted approach and provide comprehensive knowledge databases. MONARC provides its own knowledge bases, but also those of EBIOS 2004 where the threats and vulnerabilities aredistinct.

In EBIOS, risk assessment is based on the likelihood of threat scenarios. In MONARC, risk assessment is rather based on vulnerabilities of assets, which are easier to evaluate (measures in place or a repository of goodpractices).

In EBIOS, it is necessary to define security requirements, which is very difficult in low-maturity organizations. MONARC defines a security baseline to be reached with its default riskmodel.

7. IT-Grundschutz

7.1Description

IT-Grundschutz is part of a series of standards, relating to information security and published by the German Federal Office for Information Security (BSI).

IT-Grundschutz is more a method of risk management than risk assessment. For a standard context, it is not necessary to carry out a risk analysis, as this has already beendone.

The methodology consists of several standards that describe the management framework, the implementation of the ISMS, the risk management and risk assessment method, but above all a catalog of more than 4000 pages containing knowledge bases on assets, threats, vulnerabilities and especially thousands of good practices concerning configurations of all types (Hardware,software…).

The objective of the risk assessment is to provide a qualitative method in order to identifying, analysing and evaluating security incidents that may adversely affect the business. The standards describe a risk assessment at two levels: one is designed to achieve a “standard” level of security, and a second “complementary risk analysis” can be undertaken by organizations that want an approach that is appropriate to theirneeds.

For companies implementing a “standard” Information Security Management System based on IT-Grundschutz, the risk assessment is done by using the IT-Grundschutz guide books. These contain repositories of common threat scenarios and standard security countermeasures applicable to most IT environments and grouped by modules corresponding to various business environments and information systemcomponents.

In order to achieve a higher level of information security, a “supplementary risk analysis based on IT-Grundschutz” can also be performed by taking the followingsteps:

** Prepare an overview of threats**

A list of relevant threats is created for each asset that need to be analysed by using the IT-Grundschutzcatalog.

** Determine additional threats**

Any threats specific to the application scenario are identified via a brainstormingsession.

** Assess the threats**

The threat summary is systematically analysed to determine if the implemented and/or planned security measures provide adequate protection for each target object and threat. Thus, all relevant security mechanisms are checked for completeness, strength andreliability.

** Select safeguards for handling risks**

Decisions are made at the managerial level on the way risks not adequately mitigated are to be handled. Options include: reducing risk via safeguards, avoiding risk, transferring risk and acceptingrisk.

** Consolidate results**

The new security policy and mechanisms as a whole is verified, checked for consistency, user friendliness and adequacy to the targetenvironment.

7.2 IT-Grundschutz vs. MONARC

One of the big differences of the IT-Grundschutz method compared to other methods is the bottom-up approach. Indeed, security is based on a predefined risk analysis of each element that makes up an information system, not a business asset-based approach.The tool (GS-tool) allows to optimize the use of the method by selecting the pages of the catalog to be implemented in order to obtain an adequate level of protection.One of the major problems of the IT-Grundschutz is that there are latencies in the English translation of the catalogs. Better to be German-speaking, to have up-to-date knowledgedatabases.

ANNEX. Table: Comparison between MONARC and different Risk ManagementMethods

References

** ISO 31000:2009**

• Risk Management – Principles andGuidelines

** ISO 27005:2011**

• Information technology — Security techniques — Information security riskmanagement

** MAGERIT**

• Methodology for Information Systems Risk Analysis and ManagementBook
• Methodology for Information Systems Risk Analysis and Management Book I – TheMethod
• Methodology for Information Systems Risk Analysis and Management II - Catalogue ofElements
• Methodology for Information Systems Risk Analysis and Management III –Techniques

** OCTAVE**

• Introducing OCTAVE Allegro: Improving the Information Security Risk AssessmentProcess
• Method Implementation Guide Version 2.0 Volume 2: PreliminaryActivities
• Implementation Guide, Version 1.0 Volume1
• Implementation Guide, Version 1.0 Volume2
• Implementation Guide, Version 1.0 Volume3
• Implementation Guide, Version 1.0 Volume4
• Implementation Guide, Version 1.0 Volume9

** EBIOS 2010**

• Laméthodologie
• Les bases deconnaissances

** IT-Grundschutz**

• Information Security Management Systems (ISMS)
• IT-GrundschutzMethodology
• Risk analysis based on IT-Grundschutz
• IT-Grundschutz-Catalogues

** ENISA**

• Inventory of risk assessment and risk managementmethods
• Reference source for threats, vulnerabilities, impacts and controls in IT risk assessment and riskmanagement
• ENISAWebsite