RSA Blog: Bad Decisions Made Faster: How Qualitative Security Risk Assessments Are Making Things Worse

man holding paper infront by wall

Derek Brink posted the following on the RSA Blog: Bad Decisions Made Faster: How Qualitative Security Risk Assessments Are Making Things Worse (  It’s another argument against qualitative risk analysis. Research and analyze the debate of quantitative versus qualitative risk analysis.

In cybersecurity, risk assessment and risk management are vital cogs in the theoretical wheel of business success. In risk assessment, identifying all possible risks that an organization might face allows for a proper system to be created to facilitate an adequate protection system (risk management). Both risk assessment and management rely on the relative importance of the identified threats, which can be established in one of two ways: qualitatively or quantitatively. Often, choosing either a qualitative or quantitative approach to formulating a risk assessment is a common question for security personnel; however, in my opinion, employing a combination of both methods is the key to compiling an accurate and effective risk assessment.

Determining which analysis is best for risk assessment comes down to your specific situation. However, combining both qualitative and quantitative assessments can help you quickly identify normal condition risks, as well as allow other personnel to offer their opinions on how relevant the risks actually are. Then, the quantitative approach can be run to compile hard-hitting facts and statistics regarding the risks, as well as how to protect against them.

For example, when you go to a doctor’s appointment, the doctor doesn’t administer every test and exam in the book right away; instead, they ask various questions at the beginning (qualitative), and then by using that information, they determine more detailed exams that need to be performed (quantitative), all by keeping risk in mind.

In this example, the length of time of the appointment is vital in deciding which tests need to be administered, as the doctor can only run so many tests in that time frame; this is similar to allocated budget for a business’ cybersecurity efforts. By using both qualitative and quantitative assessments, you can ensure you use every dollar wisely, as there may be protective measures that are completely vital to the continued operation of the enterprise (blood sugar check for a patient with diabetes), and those which are not necessary at all (pregnancy check for a man).

Like any task in life, the quality of results is directly correlated to the tools that one uses. When performing a risk assessment, knowing which form of risk analysis one should utilize (or preferably a mixture of both) can open up new avenues of data and, therefore, usher in new opportunities for successful risk management.


RSA Blogs. (2020, July 20). Retrieved September 29, 2020, from

Lexico. (2019, Nov 18). Definition: Qualitative. Retrieved September 29, 2020, from

Lexico. (2019, Nov 18). Definition: Quantitative. Retrieved September 29, 2020, from

Leal, Rhand. (2017, March 6). Advisera. “Qualitative vs. Quantitative Risk Assessments in Information Security: Differences and Similarities.” Retrieved September 29, 2020, from

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s