Risk analysis and management tools serve multiple purposes and come in numerous shapes and sizes. Some risk analysis and management tools include those used for many purposes. Some of the purposes are.
- Program Risk Management. It focuses on identifying, analyzing, prioritizing, and managing risks to eliminate or minimize their impact on a program’s objectives and the probability of success.
- Cost Risk Analysis. It focuses on quantifying how technological and economic risks may affect a system’s cost. Applies probability methods to model, measure, and manage risk in the cost of engineering advanced systems.
- Strategic and Capability Risk Analysis. It focuses on identifying, analyzing, and prioritizing risks to achieve strategic goals, objectives, and capabilities.
- Threat Analysis. It focuses on identifying, analyzing, and prioritizing threats to minimize their impact on national security.
- Investment and Portfolio Risk Analysis. It focuses on identifying, analyzing, and prioritizing investments and possible alternatives based on risk.
Each specialized risk analysis and management area have developed tools to support its objectives with various levels of maturity. This article focuses on tools that support the implementation and execution of program risk management. Many of the best technical security tools are open-source, free and ripe for the using, so, fortunately, there are a number of free and open-source tools that can help with risk management efforts.
These tools below, in particular, have zero licensing costs, can be picked up rapidly, require minimal support once set up and can be decommissioned just as quickly with minimal impact. The tools below can give your risk management efforts an immediate shot in the arm.
Inventorying
One of the toughest parts of a risk management project can be keeping track of what devices, services, applications and other assets you have fielded already. If you don’t know what you have out there, how can you systematically evaluate the impact of a given vulnerability? If you don’t know what devices support certain business activities, how can you evaluate disruption or extent of compromise in the event of an incident? Short story: You can’t.
So if you don’t already have a tool to assist in keeping that asset inventory current, you might consider some free and open-source options in this arena. For example, SpiceWorks might be an option; while it’s not open-source, it is free.
If you prefer an open-source alternative, GLPI (GNU GPL v 2) might be a fit. If you require automating discovery, you might look at something like OCS Inventory NG, which can feed data into either platform to help you collect data about what you have out there.
Risk Tracking.
There are free tools that can be used to help track risks and mitigations, visualize risks by severity, create reports and complete other logistical legwork items, and it is for free. Tools such as SimpleRisk can help you get started. It’s worth noting that the extras you might want for enterprise use aren’t free, but included in the core bundle are many valuable features that can get your program well underway.
Threat Analysis.
Analyzing the universe of threats that exist and assessing the risks to your organization that might arise as a result of it can be challenging. Having a tool that helps automate and streamline the process can be very helpful.
The Practical Threat Analysis (PTA) tool can assist to create a threat model, systematically evaluate threats and impacts, and build a risk register based on the work you do. It is worth to note that the interface is a bit dated and the most current update was from a few years back in the year 2013, however, it’s free to use and can help simplify the launch of a program.
Vulnerability Information.
Sometimes there’s just no substitute for a vulnerability scan in determining what technical vulnerabilities exist in a given environment. While there are a number of great commercial tools out there, useful tools to have in your arsenal are the tried-and-true scanning tools such as OpenVAS for host scanning or Vega for application scanning.
Monitoring
As a practical matter, the ongoing monitoring of the environment is an important part of a holistic risk management process. The reason is that unanticipated changes or downtime are both potentially symptomatic of a risk coming to pass and also something that could impact the risk environment itself. Thus, continuous monitoring of the environment can tie directly back to your ongoing risk monitoring. In this regard, tools such as Nagios or Icinga 2 can be both valuable and beneficial.
Maybe you’re thinking long term and you want to keep your options open and move to a commercial risk management product once you get the budget. If that’s the case, using something in the short term that doesn’t lock you in is advantageous.
