Qualitative vs. Quantitative Cybersecurity Risk Assessment: What’s the Difference?

Risk mitigation is at the heart of cybersecurity. By connecting to the Internet, implementing upgraded IT systems, or adding a new vendor to your organization, you are automatically exposing your business to some level of cyber risk. With outsourcing on the rise and a growing reliance on vendors who are processing, storing, and transmitting sensitive data, assessing and mitigating risk is becoming increasingly important.

Formulating a cybersecurity risk assessment methodology is an essential part of building a robust information security program to identify key information assets and their value to the organization. By using this data, it is then possible for management to determine whether their existing security measures are adequate and investigate its risk profile. There are two primary risk assessment methodologies: qualitative and quantitative risk assessments. But to build an effective IT security risk assessment methodology, you will need to incorporate both quantitative and qualitative approaches to paint an accurate picture of risk. Let’s take a closer look.

What is a qualitative risk assessment?

Qualitative risk assessments can be used on any or all business risks. The primary focus when using qualitative assessments is to quickly identify risks. Qualitative assessments generally use either numerical ratings (1-5) or colors (green, yellow, and red) to rank risks based on their likelihood of occurrence (frequency) and impact on the business (magnitude). Qualitative risk assessments are simple to use and can be ideal for less-mature businesses to answer questions like, “how will my team be affected by this risk?” and “how would our service levels be impacted by a loss?”

While qualitative assessments require less effort and produce faster results, they do have a couple of notable drawbacks. First, qualitative assessments are subjective. The value of the assessment will be largely dependent on the knowledge and experience of the assessment team and the various viewpoints and opinions of business stakeholders. Secondly, prioritizing threats based on a qualitative assessment can be challenging due to the lack of data needed to perform an accurate cost-benefit analysis. For example, how should a business decide which level 5 or “red” risk should be addressed first if there are several risks identified at that level?

Example of a qualitative risk assessment

One example of a qualitative risk assessment is the DREAD model. This model uses five factors–Damage, Reproducibility, Exploitability, Affected Users, and Discoverability–to analyze risks. To conduct the assessment, businesses would answer the questions below for each risk to be evaluated and provide a ranking (high, medium, or low) for each factor.

• Damage: How much are the assets affected?
• Reproducibility: How easily the attack can be reproduced?
• Exploitability: How easily the attack can be launched?
• Affected users: What’s the number of affected users?
• Discoverability: How easily the vulnerability can be found?

The rankings would then be converted into numerical scores (high = 3, medium = 2, and low = 1), and then by adding the scores together, the overall risk rating can be determined (high = cumulative scores of 12 to 15, medium = cumulative scores of 8 to 11, and low = cumulative scores of 5 to 7).

How to perform a qualitative risk assessment

A qualitative risk assessment is arguably much easier to perform than a quantitative analysis but is also less precise. This method usually involves calling a committee of delegates from various parts of the business to discuss how their teams would be affected by different risks.

Rather than asking “How much money would you lose in this situation?” a qualitative approach asks “How would the productivity of your team be affected in this situation?” For example, when assessing the risk posed to a server cluster, the assessor can ask “How would your team’s productivity be affected if they couldn’t access their web application?” Without a backup procedure in place, the answer would probably be that the team couldn’t produce anything, thus allowing the assessor to determine that the system is subjectively critical to business function.

What is a quantitative risk assessment?

Quantitative risk assessments are objective, repeatable assessments using factual data expressed in monetary terms. “Quantitative” means that risk is quantified or measured in terms of definite numbers, figures, and percentages for asset valuation and risk factors (frequency and magnitude), and are computed mathematically.

Quantitative risk assessments provide actionable results using cost-benefit analysis to easily prioritize risk mitigation processes and answer questions surrounding the financial and data impact of a cyber breach on your business. Despite the obvious advantages of quantitative risk assessments, there are also limitations. Quantitative assessments are more time- and resource-intensive, meaning that their utility can also ultimately be limited by poor or insufficient data that can render the results inconclusive or incomplete.

Example of a quantitative risk assessment

In quantitative analysis, risk components are assigned monetary values. Below is a list of variables and equations needed to conduct a quantitative risk analysis. Annualized Loss Expectancy (ALE) is one such quantitative assessment option.

Annualized Loss Expectancy (ALE)  is calculated using the Single Loss Expectancy (SLE) for an asset multiplied by the Annualized Rate of Occurrence (ARO), or ALE = SLE x ARO.

To calculate the SLE and ARO, you will also need to calculate the following values:

• Asset Value (AV): The monetary value of the asset.
• Exposure Factor (EF): The negative impact a threat would have on the asset expressed as a percentage.
• Single Loss Expectancy (SLE): The Asset Value multiplied by the Exposure Factor (AV x EF).
• Annualized Rate of Occurrence (ARO): The estimated number of times that a threat would occur in a year, characterized on an annual basis.

So, for an asset with an AV of $10,000 and an EF of 10%, the SLE would be $1,000. If the ARO for a particular threat to that asset is 5, then the ALE for this threat would be $5,000.

How to perform a quantitative risk assessment

To get started with a quantitative risk analysis, an assessment team must first identify key assets to the business. This IT security risk assessment methodology includes factors such as IT equipment, data processing systems, and facilities, along with less-obvious assets like employees, mobile devices, and the data itself which resides on the system.

Once all key assets are identified, calculate the value of each in dollars. This may be difficult to do for ambiguous or volatile assets, but it doesn’t have to be a perfect science; estimates are fine. For each risk, determine which asset(s) it would affect and how much of that asset would be lost or compromised as a percentage. Then simply take the loss percentage multiplied by the value of the asset to obtain a dollar amount of loss for that specific risk.

Qualitative vs quantitative risk assessments: Why your business needs both

Both quantitative and qualitative risk assessments are needed for a well-rounded view of the risk management process. The reason is that effectively managing risk requires not only understanding impact but creating a framework that sets the acceptable level of risk to enable functioning business operations.

In qualitative risk assessment, there is no statistical, numerical, or measurement dependence, so it can be done quickly and easily. Additionally, it is beneficial if employees have experience with the assets and processes; however, they may also have a bias when determining probability and effect. Performing qualitative risk analysis is quick, but it is subjective.

In contrast, quantitative risk analysis is objective and provides more detail and actionable results, but is also more time-consuming and complex. The data required for quantitative analysis is difficult to gather and can be prohibitively expensive.

Considering the information presented about both risk assessment methodologies, there isn’t a clear “winner.” Both types of assessment can provide value depending on the desired outcome, availability of resources, and the situation’s urgency. For most businesses, using a combination of quantitative and qualitative risk assessments is generally the most beneficial option.

How SecurityScorecard can support your risk assessment and mitigation processes

While the business does need a black-and-white view of financial impacts and quantities of data lost, it also needs to understand the subjective effects of risk and how they may hinder production or tarnish the company’s reputation. When building your risk assessment program, consider leveraging both quantitative and qualitative risk assessments with the help of SecurityScorecard.

SecurityScorecard’s Cyber Risk Quantification allows your business to create quantitative, real-time, dynamic risk assessments that can be used to manage the security risk facing your organization and its supply chain. Our platform also provides customized remediation plans to create actionable goals based on your risk assessment results. With real-time, continuous monitoring, your business can rest assured knowing that new vulnerabilities, risks, and threats are being mitigated as soon as they are identified. Sign up for a free trial today to start using cyber risk quantification to drive risk management strategies for your business.