What is Qualitative and Quantitative Risk Assessment
Risk assessment requires considerable thought process and dedicated resources. There are two approaches to address risk – the qualitative and quantitative risk assessment. Qualitative approach takes into account various likelihoods of threat based upon experiences, expert opinions and logical inferences. However quantitative risk assessment addresses the problem by assigning numbers to risk computed by various parameters.
What is Qualitative Risk Assessment?
Qualitative risk assessment is the process of measuring risks on qualitative scale like high, medium & low. It does not use mathematical formulas as is the case of quantitative risk assessment. One could also rank the risks according to priority. The value assigned is based upon the experiences, real world scenarios, opinions and logical conclusions. The rating of risk decides how much thought needs to be put into it by the management and treat it accordingly. It also helps to find the high risk areas in Information security and to address them by segregating from the rest and to implement the appropriate countermeasures.
What is Quantitative Risk Assessment?
The quantitative risk assessment takes the approach of assigning (dollar) values to risk where these dollar values are calculated by using mathematical calculations. There could be different ways to do it. One way is to assign numerical values to Confidentiality, Integrity, Availability and Likelihood. To calculate Impact value, mathematical formula could be used taking values for the Impact on Confidentiality, Integrity and Availability (CIA). A simple plus or multiplication of all these values would generate an impact value. To compute risk value further, Likelihood and Impact values should be multiplied. The final step is to map this risk value to dollar amount by putting some constant factor. After coming up with final dollar values one should also check how genuine it appears by giving it a realistic look. For that matter expert judgement from different people could be sought to see whether people are in agreement with the figure. If the figure generates a significant disagreement, then it gives an indication that the initial values of CIA or likelihood should be re-evaluated.
It is to be noted that the dollar value of risk should be dependent on two factors, loss in single occurrence of event and probability of it occurring across the year. The amount of loss one risk could produce in a single occurrence of event is usually estimated through the past experiences of other similar organizations or from the trends occurring inside the same organization (by taking mean of all damage values in dollars). Probability could be calculated by taking into account the number of cases happened in previous year and tailoring this value in line with the assumption of decrease/increase in trend. Putting the risk value in dollar amounts helps in convincing the management to implement appropriate controls. It also gives organizations a decisive approach. If the cost of countermeasures is less than the dollar value of risk it is worth spending. While an organization could live with a certain level of risks, in some cases, putting appropriate controls may reduce the risk even more to a lower value which could then be accepted.
As a conclusion, both the approaches provide feedback to the management criteria to assess risks and decide how to treat them.