Qualitative vs. Quantitative Risk Assessment

 

Qualitative vs. Quantitative Risk Assessment

Feature	Qualitative Risk Assessment	Quantitative Risk Assessment
Method	Uses descriptive, uncalibrated terms to rank risks.	Uses numerical values to measure risk and its impact.
Language	Uses words like "high," "low," "moderate," or "severe."	Uses numbers, percentages, and monetary values (e.g., "$100,000 loss," "10% chance per year").
Arithmetic	Cannot be used in mathematical calculations (e.g., you can't average "highs" and "lows").	Can be used in arithmetic to calculate expected loss and compare it to the cost of controls.
Use Case	Best for situations with limited data or for quick, initial assessments.	Best for well-understood processes with reliable, measurable data.
Example	"This risk is of medium severity and is likely to occur."	"There is a 10% chance this risk will occur in a given year, resulting in a potential loss of $5 million."

---

The Importance of Measurement 

A key distinction is that quantitative assessments allow for direct comparisons and calculations. You can numerically compare the cost of a security control against the estimated financial loss from a risk. This is not possible with qualitative methods, where a "high" risk isn't necessarily twice as severe as a "medium" risk.

The Factor Analysis of Information Risk (FAIR) method is a modern approach that emphasizes a quantitative, numerical approach to risk assessment. It's designed to provide a more accurate and defensible way of measuring risk and is compatible with major risk management frameworks like NIST CSF, ISO 31000, and COSO.