Last week I went to the International Symposium on Engineering Secure Software and System (ESSoS) 2009. I attended the tutorial on Risk Management in Practice – Model Based Security Risk Analysis with the CORAS Method. I must say, it turned out to be an enlightening day.
I think the main conclusion that can be drawn from the audience comments is twofold. On one hand, the CORAS method -with its diagrams- provides in a convenient manner to visualise risk and communicate with the customer about it. On the other hand, it lacks the formality (and to be more specific: the checklists) that other Risk Assessment methodologies offer. The best example of the latter was demonstrated during an interactive workshop in which there was (due to the cumulative security expertise in the room) an ad-hoc explosion of vulnerabilities, threat scenarios and unwanted incidents for a relatively simple scenario.
Doing some google searching on the pointers I got from people in the audience on other Risk Assessment approaches, I found this interesting page on the Europa portal (which does not mention the CORAS method ... yet) that allows you to compare different approaches to Risk Assessement.
If you would like to check out CORAS for yourself, the sourceforge page of the project should be an excellent place to get you started.