An interesting distinction between finding and analysis for qualitative and quantitative risk analysis may (and often is) made. The CIS FRAP, for example, is a qualitative system. A number of the software risk analysis packages claim to be quantitative but an inspection of (all the ones I have looked into) seems lacking in statistical rigor and justification for numerous operations and selections of defaults.
V/R Jim leon wrote: > > Sure, run Nessus or your vuln scanner of choice and if you get get high > risk vulns (and they are not false positive) one could put the > quantitative impact at the cost of the information. I never really > understood qualitative risk analysis myself. > > HTH, > > Leon > > -----Original Message----- > From: Ralph Chapman [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 01, 2001 12:53 AM > To: [EMAIL PROTECTED] > Subject: Risk Analysis and Management software > > Does anyone have any ideas of software available to > help quantify the impact of potential threats > (quantitative and qualitative) and mitigate risk for a > company. > > Thanks for the help in advance! > > __________________________________________________ > Do You Yahoo!? > Make a great connection at Yahoo! Personals. > http://personals.yahoo.com -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
