Qualitative vs. quantitative risk assessments in information security: Differences and similarities
In the risk assessment process, one common question asked by organizations is whether to go with a quantitative or a qualitative approach. The good news is that by using both approaches you can, in fact, improve your process efficiency towards achieving desired security levels.
This article will present the concepts of qualitative and quantitative assessments, their similarities and differences, and how both of them can be used in ISO 27001 to perform effective and efficient information security risk assessments.
Qualitative risk assessment
In qualitative risk assessment, the focus is on interested parties’ perceptions about the probability of a risk occurring and its impact on relevant organizational aspects (e.g., financial, reputational, etc.). This perception is represented in scales such as “low – medium – high” or “1 – 2 – 3,” which are used to define risk’s final value.
Since it has little mathematical dependency (risk may be defined through a simple sum, multiplication, or other form of non-mathematical combination of probability and impact values), qualitative risk assessment is easy and quick to perform, allowing an organization to take advantage of a user’s experience with and knowledge of the process/asset being assessed. See below an example of a table used for qualitative risk assessment:
One problem with qualitative assessment is that it is highly biased, both in terms of probability and impact definition, by those who perform it.
For example, for HR people, HR impacts will be more relevant than Quality impacts, and vice versa. Regarding a bias in probability, a lack of understanding of the timeframes of other processes may lead someone to think errors and failures occur more often in his own process than in the others, and this may not be true.
This situation with bias generally makes the qualitative assessment useful only in the local context where it is performed, because people outside the context probably will have divergences regarding impact value definition.
Quantitative risk assessment
On the other hand, quantitative risk assessment focuses on factual and measurable data, and highly mathematical and computational bases, to calculate probability and impact values, normally expressing risk values in monetary terms, which makes its results useful outside the context of the assessment (loss of money is understandable for any business unit). To reach a monetary result, quantitative risk assessment often makes use of these concepts:
SLE (Single Loss Expectancy): money expected to be lost if the incident occurs one time.
ARO (Annual Rate of Occurrence): how many times in a one-year interval the incident is expected to occur.
ALE (Annual Loss Expectancy): money expected to be lost in one year considering SLE and ARO (ALE = SLE * ARO). For quantitative risk assessment, this is the risk value.
By relying on factual and measurable data, quantitative risk assessment has as its main benefits the presentation of very precise results about risk value, and the maximum investment that would make risk treatment worthwhile, so that it is profitable for the organization. Below is an example of how risk values are calculated through qualitative risk assessment:
Database value: USD 2.5 million (SLE)
Manufacturer statistics inform that a database catastrophic failure (due to software or hardware) occurs one time every 10 years (ARO = 1/10 = 0.1)
ALE = 2.5 * 0.1 = USD 250K
That is, in this case the organization has an annual risk of suffering a loss of USD 250K in the event of the loss of its database. So, any implemented control (e.g., backup, patch management, etc.) that costs less than this value would be profitable.
The problem with quantitative assessment is that in most cases, there is no sufficient data to be analyzed, or the number of variables involved is too high, making analysis impractical.
As you may notice, qualitative and quantitative assessments have specific characteristics that make each one better for a specific risk assessment scenario, but in the big picture, combining both approaches can prove to be the best alternative for a risk assessment process.
By using the qualitative approach first, you can quickly identify most of the risks to normal conditions. And, people’s concerns about their jobs can be used as a quick reference to help evaluate these risks as being relevant or not.
After that, you can use the quantitative approach on relevant risks, to have more detailed information for decision making.
A general example would be a medical appointment. The doctor first asks a few simple questions, and from patient answers he decides which more detailed exams to perform, instead of trying every exam he knows at the beginning.
Adapt your approach to optimize your effort and results
Risk assessment is one of the most critical parts of risk management, and also one of the most complex – affected by human, technical, and administrative issues. If not done properly, it could compromise all efforts to implement an ISO 27001 Information Security Management System, which makes organizations think about whether to perform qualitative or quantitative assessments. But, you do not need to rely on a single approach, because ISO 27001 allows both qualitative and quantitative risk assessment to be performed.
If your company needs quick and easy risk assessment, you can go with qualitative assessment (and this is what 99% of the companies do). However, if you need to make some really big investment that is critical for security, perhaps it makes sense to invest time and money into quantitative risk assessment.
In short, by adopting a combined approach considering the information and time response needed, and data and knowledge available, you can enhance the effectiveness and efficiency of the ISO 27001 information security risk assessment process, and also conform to the standard’s requirements.
To learn more about risk assessment, register for this free webinar: The basics of risk assessment and treatment according to ISO 27001.