126:
be used individually but are designed as a coherent suite. As the process proceeds, the knowledgebase automatically expands with the information obtained, providing inputs for subsequent steps. Consistent analysis of the risks and controls enables large, diverse organizations to compare and contrast
117:
Action plans and security projects can be selected to manage the risks, based on the expected effectiveness of additional security measures and the timescales for their implementation. The preceding analysis enables management to appreciate the business benefits of, and hence justify, appropriate
49:
MEHARI enables business managers, information security/risk management professionals and other stakeholders to evaluate and manage the organization's risks relating to information, information systems and information processes (not just IT). It is designed to align with and support information
113:
The current severity level of each risk scenario is displayed, taking account of the effectiveness of existing security measures, giving an indication of the current information security risk landscape and suggesting the prioritization of remedial
103:
These elements are combined automatically to analyze and assess the intrinsic severity of risks (based on 800 'scenarios' in the knowledgebase), highlighting the most critical and serious ones according to the projected business
96:
The assets are classified according to three classic security criteria (confidentiality, integrity, availability) plus the need for compliance to applicable laws and regulations (e.g. to protect personal information or the
90:
Threat analysis: top business managers describe the organization's activities, list the potential issues or concerns that might adversely affect those activities, and assign values to the business impacts.
86:
MEHARI Expert (2010) combines a powerful and extendible knowledge base with a flexible suite of tools supporting the following information security risk analysis and management activities:
122:
MEHARI Expert (2010)'s comprehensive knowledgebase, built using Excel, is available in both
English and French as an interactive tool, or more accurately a suite of tools that
110:
Security measures (organizational and technical) are grouped into services for discussion with the relevant managers and professionals.
93:
The business processes are analyzed further in order to identify and map out the associated organizational, human and technical assets.
107:
Diagnostic questionnaires help users evaluate the ability of their existing information security measures/controls to mitigate risks.
78:
and NIST's SP 800-30. The current version of MEHARI Expert (2010) includes links and support for ISO 27001/27002:2013 revision ISMS.
154:
58:-compliant Information Security Management System (ISMS) or a similar overarching security management or governance framework.
223:
130:
Additional applications and tools, based on the same principles, may be developed under
Creative Commons license.
174:
196:
17:
149:
8:
100:
The intrinsic likelihood/probability of representative threat event types is considered.
139:
208:
169:
144:
191:
217:
75:
71:
67:
66:
MEHARI has steadily evolved since the mid-1990s to support standards such as
55:
51:
118:
investment in information security: the entire process is business-driven.
164:
46:
management method, for the use of information security professionals.
16:
This article is about the method of risk-analysis. For other uses, see
42:
sk) is a free, open-source information risk analysis assessment and
159:
186:
43:
215:
216:
155:Information security management system
50:security risk management according to
127:operating units on an even footing.
54:, particularly in the context of an
13:
14:
235:
202:
81:
1:
180:
7:
224:Risk analysis methodologies
209:ENISA information on MEHARI
133:
10:
240:
61:
15:
175:Vulnerability (computing)
192:for MEHARI tool download
18:Mehari (disambiguation)
150:Information security
140:Attack (computing)
170:Threat (computer)
145:Computer security
231:
239:
238:
234:
233:
232:
230:
229:
228:
214:
213:
205:
183:
136:
84:
64:
21:
12:
11:
5:
237:
227:
226:
212:
211:
204:
203:External links
201:
200:
199:
194:
189:
182:
179:
178:
177:
172:
167:
162:
157:
152:
147:
142:
135:
132:
120:
119:
115:
111:
108:
105:
101:
98:
94:
91:
83:
80:
63:
60:
9:
6:
4:
3:
2:
236:
225:
222:
221:
219:
210:
207:
206:
198:
195:
193:
190:
188:
185:
184:
176:
173:
171:
168:
166:
163:
161:
158:
156:
153:
151:
148:
146:
143:
141:
138:
137:
131:
128:
125:
116:
112:
109:
106:
104:consequences.
102:
99:
97:environment).
95:
92:
89:
88:
87:
79:
77:
76:ISO/IEC 27005
73:
72:ISO/IEC 27002
69:
68:ISO/IEC 27001
59:
57:
56:ISO/IEC 27001
53:
52:ISO/IEC 27005
47:
45:
41:
37:
33:
29:
25:
19:
129:
123:
121:
85:
65:
48:
39:
35:
31:
27:
23:
22:
165:Methodology
82:Description
38:nalysis of
181:References
34:armonized
187:home page
30:thod for
218:Category
134:See also
160:IT risk
62:History
197:guides
24:MEHARI
114:work.
44:risk
124:can
220::
74:,
70:,
40:RI
28:ME
36:A
32:H
26:(
20:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.