NIST CSF, ISO 2700X, and other standards say that cybersecurity risk and its contributing factors can be assessed in a variety of ways, including “quantitatively” or “qualitatively.” But what’s the difference? Which is the better form of risk measurement for your organization? Why would you conduct a qualitative versus a quantitative risk analysis?
Let’s explore the differences between quantitative and qualitative risk analysis.
RiskLens is the leader in cyber risk quantification.
Qualitative Risk Analysis
Analysts use ordinal rating scales (1 – 5) or assign relative ratings (high, medium, low or red, yellow, green) to plot various risks on a heat map with Loss Event Frequency (or Likelihood) on one axis and Loss Severity (or Magnitude or Impact) on the other.
But how do analysts decide where to place the risks relative to each other? They decide based on their experience in risk management or — as Jack Jones writes in his book Measuring and Managing Information Risk: A FAIR Approach — their “mental models.” In other words, these decisions are made based solely on the opinions of the people conducting the assessment.
Purely qualitative analyses are…
