0

# Quantitative vs Qualitative Risk Assessment: Pro’s and Con’s

When deciding on a risk assessment methodology, one question that usually pops up is: quantitative vs qualitative risk assessments – what is the difference between each? Which is better? Which is appropriate for my organisation? In this article, we will look at quantitative vs qualitative, the differences between each, scenarios for when each may be appropriate and recommendations in implementing a risk assessment methodology as part of ISO 27001.

So firstly, quantitative vs qualitative – what is the difference?

The easiest way to differentiate is that one methodology uses numbers and figures (quantitative) and one uses descriptions and words (qualitative) to calculate risk levels. In formal definitions, qualitative means making comparisons based on qualities, whereas quantitative means something can be estimated or calculated based on a quantity. Just remember, quantity vs. quality. In information security risk terms, this would be the difference between describing something as a ‘high’ risk (qualitative) or a 9 out of 10 on a scale (quantitative). In reality, the quantitative result would translate into a qualitative result e.g. high, for understanding purposes, but the calculations before would be based on figures.

Let’s look at an example to understand this better. If a business wishes to understand the total costs that would be incurred as a result of a risk occurring on an annual basis, then a quantitative risk assessment methodology may be most appropriate. The organisation may wish to adopt the calculation Annual Loss Expectancy (ALE) = Annual Rate of Occurrence (ARO) * Single Loss Expectancy (SLE). Using this calculation, the organisation can estimate how regularly a given threat occurs in a year and multiply this by the estimated costs of a threat occurring. For example, a hurricane occurs twice a year but costs the organisation an estimated £200,000 when it does occur. By multiplying the ARO by the SLE (2*£200,000) we know that the estimated annual loss expectancy is £400,000. This is an example of a quantative risk assessment, or risk analysis, in that we used figures to calculate the cost, or risk.

The above is a simplified example but shows how using a figure, or numbers, based approach can give an accurate representation of risk to businesses. However, qualitative methods can be equally as effective where values/figures/numbers cannot be assigned. For example, quantifying loss of customer confidence can be difficult, therefore, a qualitative descriptor may be the best approach. In this instance, descriptors are assigned i.e. low, medium, high, catastrophic, and mapped to numbers to be used to calculate risk. In this instance, qualitative methods with quantitative work best in order to calculate real impact where numbers cannot be used. Quantitative vs Qualitative Risk Assessment: Which is Best?

So, which approach is best? And does ISO 27001 mandate the use of either approach?

There is no right or wrong answer here. Generally, organisations like to adopt a quantitative based approach so that a cost can be put on the risk and any associated counter measures required. However, where quantitative methods cannot be utilized, then qualitative is the way to go. Combining both can ensure that those areas that cannot be quantified can still be incorporated into the risk assessment.

ISO 27001 does not mandate either approach, but requires that organisations adopt a consistent, repeatable methodology to identify risks. The term repeatable lends itself to using a quantitative based approach, where calculations provide the same result and are not subjective to interpretation of descriptors.

See our article on which risk assessment methodology for ISO 27001? for more information on choosing the right methodology for your organisation.

Conclusion

To summarize, both qualitative and quantitative methods can be useful to an organisation in order to value assets, identify threats and ultimately calculate risks. Risk assessment methodologies call on both methods in order to calculate risk, however, organisations should ensure that their approach taken identifies risks in a formal, consistent, repeatable manner.