Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Jeff Lowder

The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 1)

Many discussions of security risk analysis methodologies mention a distinction between quantitative and qualitative risk analysis, but virtually none of those discussions clarify the distinction in a rigorous way. The purpose of this 3-part series is to clarify that distinction and then show why it matters.

Definition of Terms

Risk Analysis (RA) is the identification and estimation of risks. Risk identification is the process whereby one identifies the sources of risk. (In an information security risk analysis, risk identification is the identification of hazards.) Risk estimation is the process whereby one estimates the probability and utility of prospective risks. In an information security risk analysis, the probabilities of threats are often measured conditionally-conditional upon the vulnerabilities present in the asset.

In other words, risk analysis answers three questions:

(1) What can happen? (In information security risk analysis, this could be reworded as, “What can go wrong?”, since information security risks are usually associated with negative outcomes.)
(2) How likely is it?
(3) What are the consequences? (Again, since information security only recognizes risks with negative outcomes, this question could be reworded as, “How bad could it be?)

In addition to the above standard three questions, Steven Long has convinced me that a fourth question should be added to the list:

(4) How much uncertainty is present in the analysis? (In other words, how reliable are the answers to questions 1-3?)


  1. Jens Sep 4, 2008 at 12:19 pm | Permalink

    When you write like this, you will make the “schooled” security experts’ (those with all the education and none of the experience) head spin around. Throw “vulnerability” into the mix and explain that they are not “risks” and their heads will explode. I look forward to parts 2 and 3.

  2. PM Hut Nov 20, 2008 at 3:34 pm | Permalink

    This is a concise, and well written introduction on the subject of Risk Analysis.

    Looking forward to some articles on Contingency Planning.

2 Trackbacks

  1. [...] Lowder, J. (2008). “The Difference Between Quantitative and Qualitative Risk Analysis and Why it Matters (Part 1).” BlogInfoSec.org (link here). [...]

  2. [...] as a risk analyst or manager, regardless of the kind of risk to be focused on and even if they use so-called “qualitative” methodologies, includes [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *