Many discussions of security risk analysis methodologies mention a distinction between quantitative and qualitative risk analysis, but virtually none of those discussions clarify the distinction in a rigorous way. The purpose of this 3-part series is to clarify that distinction and then show why it matters.
Definition of Terms
Risk Analysis (RA) is the identification and estimation of risks. Risk identification is the process whereby one identifies the sources of risk. (In an information security risk analysis, risk identification is the identification of hazards.) Risk estimation is the process whereby one estimates the probability and utility of prospective risks. In an information security risk analysis, the probabilities of threats are often measured conditionally-conditional upon the vulnerabilities present in the asset.
In other words, risk analysis answers three questions:
(1) What can happen? (In information security risk analysis, this could be reworded as, “What can go wrong?”, since information security risks are usually associated with negative outcomes.)
(2) How likely is it?
(3) What are the consequences? (Again, since information security only recognizes risks with negative outcomes, this question could be reworded as, “How bad could it be?)
In addition to the above standard three questions, Steven Long has convinced me that a fourth question should be added to the list:
(4) How much uncertainty is present in the analysis? (In other words, how reliable are the answers to questions 1-3?)