Quantitative & Objective vs. Qualitative & Subjective
Many authors associate quantitative methods with objectivity and qualitative methods with subjectivity. This is a false dichotomy. Consider quantitative risk analysis first. It is objective if and only if the probabilities and utilities are objective. Suppose someone subjectively assigns a probability of zero to an outcome they regard as impossible. The value of zero was subjectively assigned, but it is a precise numerical value, not a range of values, and hence is consistent with a quantitative RA. Similarly, although qualitative RA is usually associated with subjectivity, it is fully compatible with objective estimates of probability. Suppose someone uses published actuarial data about infant mortality to determine the probability of death due to Sudden Infant Death Syndrome (SIDS). Then, in a dumbed-down speech to an audience of non-experts, the researcher declares that the probability of death due to SIDS is “low.” The probability value is objective because it is based upon facts that are independent of the opinions or beliefs of persons-in this case, facts about the frequency of infant mortality. Yet because the researcher “converted” a precise numerical value into a category (“low”) that includes a range of values, the result is consistent with a qualitative RA.
Quantitative & Numerical vs. Qualitative & Non-Numerical
Similarly, many authors associate quantitative risk analysis with numerical methods and qualitative risk analysis with non-numerical methods. This distinction is not genuine, however. Both quantitative and qualitative methodologies are numerical. That qualitative risk assessments represent probability and utility with a range of numerical values is sometimes obscured by methodologies that employ scales with seemingly non-numerical labels. For example, in information security risk management, it is quite common for qualitative risk assessments to represent the probability of an outcome as either high, medium, or low-often without any attempt to define what ranges of probability values these intervals represent! Nevertheless, in order for words like “high,” “medium,” and “low” to be used meaningfully as an interval scale for all possible probability values, they have to represent ranges of numerical values that make it possible to say that one interval (say, the “Medium” interval) is greater than another interval (“Low”).
Popularity: 43%
2 Comments
When you write like this, you will make the “schooled” security experts’ (those with all the education and none of the experience) head spin around. Throw “vulnerability” into the mix and explain that they are not “risks” and their heads will explode. I look forward to parts 2 and 3.
This is a concise, and well written introduction on the subject of Risk Analysis.
Looking forward to some articles on Contingency Planning.
2 Trackbacks
[...] Lowder, J. (2008). “The Difference Between Quantitative and Qualitative Risk Analysis and Why it Matters (Part 1).” BlogInfoSec.org (link here). [...]
[...] as a risk analyst or manager, regardless of the kind of risk to be focused on and even if they use so-called “qualitative” methodologies, includes [...]