As we saw in part 2 of this series, some of the traditional arguments used for distinguishing between quantitative and qualitative risk analysis (RA) are based upon dubious assumptions. Many writers assume that “quantitative” equals objective and numerical, while “qualitative” equals subjective and non-numerical. This is incorrect, however. Both quantitative and qualitative RA are compatible with objective and subjective approaches. Additionally, both types of RA must be numerical in order to be meaningful. So if the quantitative-qualitative distinction isn’t significant because one is objective and numerical while the other is subjective and non-numerical, then why does the distinction matter?
Reason #1: Rare But Catastrophic Threats
The expected value for events in general trends towards medium. High impact, low probability events end up having roughly the same expected utility (risk) as low impact, high probability events. This phenomenon affects both qualitative and quantitative RA. To see why, let’s examine a quantitative RA example first. Consider an ALE approach to comparing two risks. From an ALE perspective, a risk that involves a $5,000,000 loss expected once every 100 years is equivalent to a $50,000 loss expected once a year. As for qualitative RA, imagine a simple 3×3 risk matrix. The majority of the cells will fall into the middle category, 1 corner will fall into the lowest interval, and another corner will fall into the highest interval. In both the quantitative and qualitative examples just given, it is unclear, on the basis of RA, how to prioritize risks competing for the same limited security investment.
Nevertheless, it seems quite likely that this problem is more of a problem for qualitative RA than it is for quantitative RA, simply because qualitative RA tends to aggregate things into a very small number of categories, whereas it is unlikely that the expected utility (risk) of two different outcomes, as measured quantitatively, will be precisely equal. In other words, one reason the distinction between quantitative vs. qualitative RA matters is because, in some situations, quantitative RA makes it easier to prioritize risks.