• (0)

    ISO 27001 & ISO 22301 Blog

    Qualitative vs. quantitative risk assessments in information security: Differences and similarities

    In the risk assessment process, one common question asked by organizations is whether to go with a quantitative or a qualitative approach. The good news is that by using both approaches you can, in fact, improve your process efficiency towards achieving desired security levels.

    This article will present the concepts of qualitative and quantitative assessments, their similarities and differences, and how both of them can be used in ISO 27001 to perform effective and efficient information security risk assessments.

    Qualitative risk assessment

    In qualitative risk assessment, the focus is on interested parties’ perceptions about the probability of a risk occurring and its impact on relevant organizational aspects (e.g., financial, reputational, etc.). This perception is represented in scales such as “low – medium – high” or “1 – 2 – 3,” which are used to define risk’s final value.

    Since it has little mathematical dependency (risk may be defined through a simple sum, multiplication, or other form of non-mathematical combination of probability and impact values), qualitative risk assessment is easy and quick to perform, allowing an organization to take advantage of a user’s experience with and knowledge of the process/asset being assessed. See below an example of a table used for qualitative risk assessment:

    Qualitative risk assessment table

    One problem with qualitative assessment is that it is highly biased, both in terms of probability and impact definition, by those who perform it.

    For example, for HR people, HR impacts will be more relevant than Quality impacts, and vice versa. Regarding a bias in probability, a lack of understanding of the timeframes of other processes may lead someone to think errors and failures occur more often in his own process than in the others, and this may not be true.

    This situation with bias generally makes the qualitative assessment useful only in the local context where it is performed, because people outside the context probably will have divergences regarding impact value definition.

    Quantitative risk assessment

    On the other hand, quantitative risk assessment focuses on factual and measurable data, and highly mathematical and computational bases, to calculate probability and impact values, normally expressing risk values in monetary terms, which makes its results useful outside the context of the assessment (loss of money is understandable for any business unit). To reach a monetary result, quantitative risk assessment often makes use of these concepts:

    SLE (Single Loss Expectancy): money expected to be lost if the incident occurs one time.

    ARO (Annual Rate of Occurrence): how many times in a one-year interval the incident is expected to occur.

    ALE (Annual Loss Expectancy): money expected to be lost in one year considering SLE and ARO (ALE = SLE * ARO). For quantitative risk assessment, this is the risk value.

    By relying on factual and measurable data, quantitative risk assessment has as its main benefits the presentation of very precise results about risk value, and the maximum investment that would make risk treatment worthwhile, so that it is profitable for the organization. Below is an example of how risk values are calculated through qualitative risk assessment:

    Database value: USD 2.5 million (SLE)

    Manufacturer statistics inform that a database catastrophic failure (due to software or hardware) occurs one time every 10 years (ARO = 1/10 = 0.1)

    ALE = 2.5 * 0.1 = USD 250K

    That is, in this case the organization has an annual risk of suffering a loss of USD 250K in the event of the loss of its database. So, any implemented control (e.g., backup, patch management, etc.) that costs less than this value would be profitable.

    The problem with quantitative assessment is that in most cases, there is no sufficient data to be analyzed, or the number of variables involved is too high, making analysis impractical.

    Combining approaches

    As you may notice, qualitative and quantitative assessments have specific characteristics that make each one better for a specific risk assessment scenario, but in the big picture, combining both approaches can prove to be the best alternative for a risk assessment process.

    By using the qualitative approach first, you can quickly identify most of the risks to normal conditions. And, people’s concerns about their jobs can be used as a quick reference to help evaluate these risks as being relevant or not.

    After that, you can use the quantitative approach on relevant risks, to have more detailed information for decision making.

    A general example would be a medical appointment. The doctor first asks a few simple questions, and from patient answers he decides which more detailed exams to perform, instead of trying every exam he knows at the beginning.

    Adapt your approach to optimize your effort and results

    Risk assessment is one of the most critical parts of risk management, and also one of the most complex – affected by human, technical, and administrative issues. If not done properly, it could compromise all efforts to implement an ISO 27001 Information Security Management System, which makes organizations think about whether to perform qualitative or quantitative assessments. But, you do not need to rely on a single approach, because ISO 27001 allows both qualitative and quantitative risk assessment to be performed.

    If your company needs quick and easy risk assessment, you can go with qualitative assessment (and this is what 99% of the companies do). However, if you need to make some really big investment that is critical for security, perhaps it makes sense to invest time and money into quantitative risk assessment.

    In short, by adopting a combined approach considering the information and time response needed, and data and knowledge available, you can enhance the effectiveness and efficiency of the ISO 27001 information security risk assessment process, and also conform to the standard’s requirements.

    To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Here you can learn that it is possible to calculate the Return on Security Investment and also use our free Return on Security Investment calculator.

    To learn whether you should invest in ISO 27001 for your startup, read this article here.

    Advisera Rhand Leal
    Rhand Leal
    Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.