Frameworks, Methodologies, and Tools Applicable to Cyber Risk
Methodologies
FAIR (Factor Analysis of IT and Information Risk): A Quantitative methodology based on critical thinking and defensible risk analysis. Very good for understanding qualitative risk and how is supports an Enterprise risk Management.Program. Agrees that risk cannot be accurately measured but can be measured to the extent that is reduces management's uncertainty about a risk
http://www.fairinstitute.org/blog/video-what-is-risk-the-bald-tire-scenario