In cybersecurity, risk assessment and risk management are vital cogs in the theoretical wheel of business success. In risk assessment, identifying all possible risks that an organization might face allows for a proper system to be created to facilitate an adequate protection system (risk management). Both risk assessment and management rely on the relative importance of the identified threats, which can be established in one of two ways: qualitatively or quantitatively. Often, choosing either a qualitative or quantitative approach to formulating a risk assessment is a common question for security personnel; however, in my opinion, employing a combination of both methods is the key to compiling an accurate and effective risk assessment.
In this post, I will define and explain the differences between qualitative and quantitative analysis.
The term qualitative, by itself, merely means pertaining to or something concerning quality or qualities (Lexico, 2019); however, when used in cybersecurity, a qualitative risk assessment is based on subjective qualities assigned to each risk. In other words, a qualitative risk assessment focuses on studying an event or control, thus understanding the event’s consequences or the implementation’s success.
For example, a qualitative risk assessment can be rated on a scale from 1 to 5, where 1 could be that the control hasn’t even been considered, a 2 might mean that it has been considered but not utilized, and a 3 could possibly mean that the control is implemented, yet hasn’t been made official or documented. A 4 in a qualitative assessment would then state that the control has been formalized, yet not documented, and then finally, a 5 could mean that the control is completely formalized, implemented, and documented. A qualitative assessment can also be rated on a simple low-medium-high scale. Due to the simplicity and lack of mathematical dependency of a qualitative assessment, this form of risk assessment is often favored due to its effortless and high-speed operation.
“A qualitative analysis uses the presence of PPS components and adherence to PPS principles as system effectiveness measures” (Fennelly, 2016).
The term quantitative, by itself, is defined as relating to, measuring, or something measured by the quantity of something rather than its quality (Lexico, 2019). When applied to cybersecurity, a quantitative assessment’s risk values are explained in monetary terms, based on measurable/factual data and highly computational/mathematical formulas used to calculate probability and impact values. Some of the following concepts are used in a quantitative assessment:
SLE (Single Loss Expectancy): value estimated to be lost if the incident occurs.
ARO (Annual Rate of Occupancy): in one year, estimated, how many times will the incident occur?
ALE (Annual Loss Expectancy): value expected to be lost in one year; this is calculated by multiplying SLE and ARO, thus providing the risk value.
Compared to a qualitative assessment, a quantitative analysis allows for more precise results about risk value and investment.
“A quantitative analysis uses specific component performance measures derived from rigorous testing to predict overall system effectiveness” (Fennelly, 2016).
Determining which analysis is best for risk assessment comes down to your specific situation. However, combining both qualitative and quantitative assessments can help you quickly identify normal condition risks, as well as allow other personnel to offer their opinions on how relevant the risks actually are. Then, the quantitative approach can be run to compile hard-hitting facts and statistics regarding the risks, as well as how to protect against them.
For example, when you go to a doctor’s appointment, the doctor doesn’t administer every test and exam in the book right away; instead, they ask various questions at the beginning (qualitative) and then by using that information, they determine more detailed exams that need to be performed (quantitative), all by keeping risk in mind.
In this example, the length of time of the appointment is vital in deciding which tests need to be administered, as the doctor can only run so many tests in that time frame; this is similar to allocated budget for a business’ cybersecurity efforts. By using both qualitative and quantitative assessments, you can ensure you use every dollar wisely, as there may be protective measures that are completely vital to the continued operation of the enterprise (blood sugar check for a patient with diabetes), and those which are not necessary at all (pregnancy check for a man).
Like any task in life, the quality of results is directly correlated to the tools that one uses. When performing a risk assessment, knowing which form of risk analysis one should utilize (or preferably a mixture of both), can open up new avenues of data and therefore, usher in new opportunities for successful risk management.
Fennelly, Lawrence J. (28 Nov 2016). Butterworth-Heinemann; 5th edition. “Effective Physical Security.”
Lexico. (18 Nov 2019). Definition: Qualitative. Retrieved from https://www.lexico.com/en/definition/qualitative.
Lexico. (18 Nov 2019). Definition: Quantitative. Retrieved from https://www.lexico.com/en/definition/quantitative.
Leal, Rhand. (6 March 2017). Advisera. “Qualitative vs. Quantitative Risk Assessments in Information Security: Differences and Similarities.” Retrieved from https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/.