What is qualitative risk assessment in cyber security?

In the risk assessment process, one common question asked by organizations is whether to go with a quantitative or a qualitative approach. The good news is that by using both approaches cyber security professionals and consultants can, in fact, improve your process efficiency towards achieving desired security levels.

Qualitative Risk Assessment

In qualitative risk assessment, the focus is on interested parties’ perceptions about the probability of a risk occurring and its impact on relevant organizational aspects (e.g., financial, reputational, etc.). This perception is represented in scales such as “low – medium – high” or “1 – 2 – 3,” which are used to define risk’s final value.

Since it has little mathematical dependency (risk may be defined through a simple sum, multiplication, or other form of non-mathematical combination of probability and impact values), qualitative risk assessment is easy and quick to perform, allowing an organization to take advantage of a user’s experience with and knowledge of the process/asset being assessed.

One problem with qualitative assessment is that it is highly biased, both in terms of probability and impact definition, by those who perform it.

Quantitative Risk Assessment

Quantitative risk assessment focuses on factual and measurable data, and highly mathematical and computational bases, to calculate probability and impact values, normally expressing risk values in monetary terms, which makes its results useful outside the context of the assessment (loss of money is understandable for any business unit). To reach a monetary result, quantitative risk assessment often makes use of these concepts:

SLE (Single Loss Expectancy): money expected to be lost if the incident occurs one time.

ARO (Annual Rate of Occurrence): how many times in a one-year interval the incident is expected to occur.

ALE (Annual Loss Expectancy): money expected to be lost in one year considering SLE and ARO (ALE = SLE * ARO). For quantitative risk assessment, this is the risk value.

By relying on factual and measurable data, quantitative risk assessment has as its main benefits the presentation of very precise results about risk value, and the maximum investment that would make risk treatment worthwhile, so that it is profitable for the organization.

The problem with quantitative assessment is that in most cases, there is no sufficient data to be analyzed, or the number of variables involved is too high, making analysis impractical.

Quantitative assessment is the most thorough method of performing a risk analysis. This also makes it the most expensive and time-consuming method – and therefore not the ideal first choice for cash-strapped or enterprises with smaller teams for risk assessment and information security. Organizations requiring legal protection against suits or disclosures, needing to satisfy stringent requirements for regulatory compliance, or having to reconcile budgets with risk analysis findings are most likely to opt for Quantitative approach.

Risk Assessment – Balanced Approach (Pragmatic Approach)

In many cases, an approach combining aspects of qualitative and quantitative analysis is used to reap the benefits of both methodologies.

A qualitative assessment is made to identify the key risks facing an organization. From this list, a high level quantitative assessments are made to determine those risks most liable to cause financial or other losses to the enterprise – and the counter-measures best suited to mitigate their effects.

Once remediation has been done, a further detailed qualitative assessment may be performed, to determine how effective the remedial efforts have been in terms of putting a monitory value for business executives.

Organizations which are in lower spectrum of cyber security maturity model; i.e. in initial, developing or defined stage, the objective of risk assessment should be to identify top 20 percent risks that expose 80 percent of the organization or business, in simpler terms, the objective should be to identify and prioritize list of risks and focus on top risks for remediation. Often at lower stages of maturity the resources available for risk assessment and remediation are few and limited, it is recommended to conduct a quantitative risk assessment to identify top risks and focus on remediation.

As the organizations mature towards managed and optimized phases in their cyber security maturity curve; they have executive mandates to optimize investments and consider cost benefit analysis for further investments in cyber-security. It is to ensure the level of protection needed by an organization or asset or process is proportional to investment made in cyber security controls. Therefore organizations need to employ more scientific and mathematical risk assessment models like qualitative risk assessment, FAIR. 

As cyber security and risk advisory practitioner, I recommend organizations and professionals to at-least get the basic risk assessment and remediation process in place with qualitative approach and then slowly and steadily mature the risk assessment and management process with information and combined methodology. I work closely with critical sector organizations and government agencies to help them identify and develop risk assessment and management process.

Feel free to contact at for any further information or assistance you or your organization may require. I will be glad to collaborate and help information security community.