Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Jeff Lowder

The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 1)

Jeff Lowder writes the column Agile Security: Balancing Security with the Need for Agility
By Jeff Lowder posted in Risk Analysis September 4, 2008 6:00am
Pages: 1 2 3 4

There are two fundamental types of risk analyses: quantitative and qualitative. Each method has pros and cons, and there is significant controversy over which approach is superior. In what is perhaps an indicator of the controversy surrounding this issue, even the definitions of the two approaches is somewhat controversial. I have attempted to offer as neutral a definition of these approaches as possible.

Many authors make the distinction between the two types of risk analyses very complicated, but the difference is really very simple. Quantitative Risk Analyses assign fixed numerical values (within a margin of error) to both the probability and utility (business impact) of an outcome; Qualitative Risk Analyses don’t. Instead, they represent both the probability and utility of an outcome using an interval scale, where each interval includes a range of numerical values (beyond the margin of error) and each interval is typically represented by a non-numerical label (such as the words “High”, “Medium”, “Low”), not the ranges of values those labels represent.

While we may draw a distinction between quantitative and qualitative RA (and in fact most security professionals do), I believe that we would be hard pressed to defend its significance, for the reasons usually given. In virtually every discussion of information security RA that I have seen, other writers assume that quantitative RA is objective and numerical while qualitative RA is subjective and non-numerical. As I argue below, however, this common view is mistaken. Both types of RA are numerical and both types are compatible with objective and non-objective estimates of probability. Moreover, within the scope of a single RA project, different methods can be used for different risks. The distinction between quantitative and qualitative RA is significant, but not due to the reasons that are typically offered.

Popularity: 27%

Pages: 1 2 3 4
Bookmark this post
Sphere: Related Content
Popularity: 27%
Print Print
Related Articles:
, , , , , , , , , , , Post a comment or leave a trackback: Trackback URL.

2 Comments

  1. Jens Sep 4, 2008 at 12:19 pm | Permalink

    When you write like this, you will make the “schooled” security experts’ (those with all the education and none of the experience) head spin around. Throw “vulnerability” into the mix and explain that they are not “risks” and their heads will explode. I look forward to parts 2 and 3.

  2. PM Hut Nov 20, 2008 at 3:34 pm | Permalink

    This is a concise, and well written introduction on the subject of Risk Analysis.

    Looking forward to some articles on Contingency Planning.

One Trackback

  1. By McGill Research Blog » Blog Archive » The Many Questions of Risk: Toward a Triplet of Triplets on January 6, 2010 at 10:43 pm

    [...] Lowder, J. (2008). “The Difference Between Quantitative and Qualitative Risk Analysis and Why it Matters (Part 1).” BlogInfoSec.org (link here). [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*