Qualitative vs. Quantitative Risk Assessment

Volkran Evrin
Author: Volkan Evrin, CISA, CRISC, COBIT 2019 Foundation, CDPSE, CEHv9, ISO 27001-22301-20000 LA
Date Published: 19 October 2021

With the ongoing impact of the COVID-19 pandemic in today’s business ecosystem, the value of decision making by using risk-oriented thinking has emerged more clearly and precisely. There is not a field of business that does not feel the contribution of risk assessment results, from information security to business continuity and resilience.

One of the most difficult decisions for a risk practitioner or risk manager is determing the most appropriate assessment method to use in the risk analysis process. Many different risk analysis methods have been used effectively and efficiently over the years. However, it can be challenging to make the final decision depending on the character of the asset/process subject to risk and the type and size of the risk-related data available.

In general, it is neccessary to first understand how to use risk-based thinking. Then, it becomes easier to decide which risk analysis can make the highest contribution to risk assessment, depending on an organization’s expertise in business processes, the technological infrastructure, the tools used and the quality and reliability of the data available.

First, the relationships between assets, processes, threats, vulnerabilities and other factors are analyzed in the risk assessment approach. There are many methods available, but quantitative and qualitative analysis are the most widely known and used classifications.

Qualitative risk analysis can be generally performed on all business risk. The qualitative approach is used to quickly identify risk areas related to normal business functions. Although the biased attitudes of staff or the lack of work experience can sometimes make the process difficult, qualitative risk analysis generally strengthens an effective risk assessment approach.

If there is an environment where decisions must be made based on data, it would be the most logical decision to use quantitative risk analysis methods. Quantitative risk analysis provides more objective information and accurate data than qualitative analysis because quantitative risk assessment is based on realistic and measurable data used to calculate the impact values that the risk will create with the probability of occurrence. The most common problem in quantitative assessment is that there is not enough data to be analyzed. There also can be challenges in revealing the subject of the evaluation with numerical values or the number of relevant variables is too high. This makes risk analysis technically difficult.

When determining whether to use a quantitative or a qualitative approach, you will find positives and negatives to both options. Qualitative risk assessment is quick to implement due to the lack of statistical/numerical dependence and measurements, and can be performed easily. It is also beneficial if employees are experienced in asset/processes; however, they may also bring biases in determining probability and impact. Qualitative risk analysis is quick but subjective. On the other hand, quantitative risk analysis is objective and has more detail, contingency reserves and go/no go decisions, but it takes more time and is more complex. Quantitative data are difficult to collect and can be prohibitively expensive.

By adopting a combined approach and considering the information and time response needed with the data and knowledge available, it is possible to enhance the effectiveness and efficiency of the risk assessment process, and conform to the organization’s requirements to achieve desired security levels.

Editor’s note: For further insights on this topic, read Volkan Evrin’s recent Journal article, “Risk Assessment and Analysis Methods: Qualitative and Quantitative,” ISACA Journal, volume 2, 2021.

Don't forget—Members can earn free CPE from ISACA Journal quizzes!

ISACA Journal