Roger that. Would help a bit to understand a bit on how you are doing the analysis and a vague idea of what you are doing in the analysis and what to do/how to interpret "what comes out", either.
I've "looked into the innards" of a number of software packages, and would not recommend any of them that I've seen. Garbage in, mystical chants, gospel out. yeah. V/R Jim Jonas M Luster wrote: > > Quoting Meritt James ([EMAIL PROTECTED]): > > > An interesting distinction between finding and analysis for qualitative > > and quantitative risk analysis may (and often is) made. The CIS FRAP, > > for example, is a qualitative system. A number of the software risk > > analysis packages claim to be quantitative but an inspection of (all the > > ones I have looked into) seems lacking in statistical rigor and > > justification for numerous operations and selections of defaults. > > Without a broad knowledge base (which would then imply an ASP based > solution), qualification is bound to be statistically and practically > incorrect. ASP based, because I don't really know anyone who'd be > willing to store a couple of terabytes of indexed incident and risk > data on a harddisk. -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566