Show me desktop version
CALL US +1 (646) 759 9933

The ISO 27001 & ISO 22301 Blog

Rhand Leal

Qualitative vs. quantitative risk assessments in information security: Differences and similarities

In the risk assessment process, one common question asked by organizations is whether to go with a quantitative or a qualitative approach. The good news is that by using both approaches you can, in fact, improve your process efficiency towards achieving desired security levels.

This article will present the concepts of qualitative and quantitative assessments, their similarities and differences, and how both of them can be used in ISO 27001 to perform effective and efficient information security risk assessments.

Qualitative risk assessment

In qualitative risk assessment, the focus is on interested parties’ perceptions about the probability of a risk occurring and its impact on relevant organizational aspects (e.g., financial, reputational, etc.). This perception is represented in scales such as “low – medium – high” or “1 – 2 – 3,” which are used to define risk’s final value.

Since it has little mathematical dependency (risk may be defined through a simple sum, multiplication, or other form of non-mathematical combination of probability and impact values), qualitative risk assessment is easy and quick to perform, allowing an organization to take advantage of a user’s experience with and knowledge of the process/asset being assessed. See below an example of a table used for qualitative risk assessment:

Qualitative risk assessment

One problem with qualitative assessment is that it is highly biased, both in terms of probability and impact definition, by those who perform it.

For example, for HR people, HR impacts will be more relevant than Quality impacts, and vice versa. Regarding a bias in probability, a lack of understanding of the timeframes of other processes may lead someone to think errors and failures occur more often in his own process than in the others, and this may not be true.

This situation with bias generally makes the qualitative assessment useful only in the local context where it is performed, because people outside the context probably will have divergences regarding impact value definition.

Quantitative risk assessment


On the other hand, quantitative risk assessment focuses on factual and measurable data, and highly mathematical and computational bases, to calculate probability and impact values, normally expressing risk values in monetary terms, which makes its results useful outside the context of the assessment (loss of money is understandable for any business unit). To reach a monetary result, quantitative risk assessment often makes use of these concepts:

SLE (Single Loss Expectancy): money expected to be lost if the incident occurs one time.

ARO (Annual Rate of Occurrence): how many times in a one-year interval the incident is expected to occur.

ALE (Annual Loss Expectancy): money expected to be lost in one year considering SLE and ARO (ALE = SLE * ARO). For quantitative risk assessment, this is the risk value.

By relying on factual and measurable data, quantitative risk assessment has as its main benefits the presentation of very precise results about risk value, and the maximum investment that would make risk treatment worthwhile, so that it is profitable for the organization. Below is an example of how risk values are calculated through qualitative risk assessment:

Database value: USD 2.5 million (SLE)

Manufacturer statistics inform that a database catastrophic failure (due to software or hardware) occurs one time every 10 years (ARO = 1/10 = 0.1)

ALE = 2.5 * 0.1 = USD 250K

That is, in this case the organization has an annual risk of suffering a loss of USD 250K in the event of the loss of its database. So, any implemented control (e.g., backup, patch management, etc.) that costs less than this value would be profitable.

The problem with quantitative assessment is that in most cases, there is no sufficient data to be analyzed, or the number of variables involved is too high, making analysis impractical.

Combining approaches

As you may notice, qualitative and quantitative assessments have specific characteristics that make each one better for a specific risk assessment scenario, but in the big picture, combining both approaches can prove to be the best alternative for a risk assessment process.

By using the qualitative approach first, you can quickly identify most of the risks to normal conditions. And, people’s concerns about their jobs can be used as a quick reference to help evaluate these risks as being relevant or not.

After that, you can use the quantitative approach on relevant risks, to have more detailed information for decision making.

A general example would be a medical appointment. The doctor first asks a few simple questions, and from patient answers he decides which more detailed exams to perform, instead of trying every exam he knows at the beginning.

Adapt your approach to optimize your effort and results

Risk assessment is one of the most critical parts of risk management, and also one of the most complex – affected by human, technical, and administrative issues. If not done properly, it could compromise all efforts to implement an ISO 27001 Information Security Management System, which makes organizations think about whether to perform qualitative or quantitative assessments. But, you do not need to rely on a single approach, because ISO 27001 allows both qualitative and quantitative risk assessment to be performed.

If your company needs quick and easy risk assessment, you can go with qualitative assessment (and this is what 99% of the companies do). However, if you need to make some really big investment that is critical for security, perhaps it makes sense to invest time and money into quantitative risk assessment.

In short, by adopting a combined approach considering the information and time response needed, and data and knowledge available, you can enhance the effectiveness and efficiency of the ISO 27001 information security risk assessment process, and also conform to the standard’s requirements.

To learn more about risk assessment, register for this free webinar:  The basics of risk assessment and treatment according to ISO 27001.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

2 responses to “Qualitative vs. quantitative risk assessments in information security: Differences and similarities”

  1. Gary says:

    One thing you didn’t mention about the qualitative approach is that it can be very useful to rank risks relative to each other, forming a natural sequence or priorities for addressing them. This can extend to other kinds of risk too, for example comparing information risks relative to health and safety, currency, environmental or political risks. It’s also an excellent tool for getting people (especially managers and professionals) discussing and understanding risks.

    Personally, I much prefer continuous scales for probability and impact, rather than the dreaded high/medium/low grids. See for example. When risks are presented in grids, the discussion often gets bogged down with boundary cases and inane arguments about whether they should be above or below the line … whereas in reality ‘near the line’ would be good enough, and would leave more time for more important matters, such as “What are we going to do about those nasties in the red zone?” and “Which of those orange-zone risks are likely to go red unless we do something about them?”

  2. MFarah says:

    I think it is also difficult to evaluate untangle assets such Database!

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.