As companies are increasingly exposed to a variety of information security threats, they are permanently forced to pay attention to security issues. Risk management provides an effective approach for measuring the security through risk assessment, risk mitigation and evaluation. Existing risk management approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents AURUM – a new methodology for supporting the NIST SP 800-30 risk management standard – and provides a comparison with the GSTool and CRISAM in order to highlight the benefits decision makers may expect when using AURUM.