An analogy should make this point clear. Many if not most or all people will use common expressions like, “It is hot today,” or, “It is cold outside,” usually without knowing the exact numerical temperature. But even if they don’t know the exact numerical temperature, they feel comfortable making comparisons between different temperatures (“It sure is a lot warmer outside today than it was yesterday”). Nevertheless, temperature is a numerical value, even when the person using interval labels like “freezing” or “blazing hot” doesn’t know the temperature and may not even know the exact ranges those labels represent! Along the same lines, qualitative RAs are numerical, even if their numerical nature is obscured in practice.
(to be continued in parts 2 and 3)
Popularity: 43%
2 Comments
When you write like this, you will make the “schooled” security experts’ (those with all the education and none of the experience) head spin around. Throw “vulnerability” into the mix and explain that they are not “risks” and their heads will explode. I look forward to parts 2 and 3.
This is a concise, and well written introduction on the subject of Risk Analysis.
Looking forward to some articles on Contingency Planning.
2 Trackbacks
[...] Lowder, J. (2008). “The Difference Between Quantitative and Qualitative Risk Analysis and Why it Matters (Part 1).” BlogInfoSec.org (link here). [...]
[...] as a risk analyst or manager, regardless of the kind of risk to be focused on and even if they use so-called “qualitative” methodologies, includes [...]