What Does a Hybrid between Quantitative and Qualitative Cyber Risk Analysis Look Like?

High Medium LowAt the end of the recent webinar hosted by Jack Jones to discuss his Cyber Risk Quantification Buyer’s Guide, an audience member posted two questions in the chat, “What does a hybrid between quantitative and qualitative analysis look like?” and “Is that combination the goal?”



Time ran out before Jack could answer but a blog post series on qualitative vs quantitative he wrote settles the questions.

First, the basics – what’s the difference between quantitative and qualitative risk analysis?

As Jack writes, they both have

  • A scope (what’s to be measured)
  • A measurement model
  • Data

But in qualitative measurement, those three elements are derived from the mental model, lived experience, gut feeling, educated guess or other highly personal – and undefined -- processes the risk analyst used to arrive at a High, Medium or Low rating. “It’s crazy to think results will be reliable or consistent,” based on those inputs, Jack writes.

CRQ Buyers Guide 3“Keep this in mind the next time you’re sitting across the table from a colleague, consultant, or other stakeholder and having what feels like a religious argument about whether something is High, Medium, or Low risk…You’re just using different scopes, different mental models, and different data to arrive at your answers.”

In contrast, quantitative risk measurement following the methodology of FAIR™ (Factor Analysis of Information Risk) clearly defines:

  • Scope, in terms of a loss event scenario: a threat actor affecting some characteristic of an asset with quantifiable factors for frequency of occurrence and magnitude of impact. Example scenario: “Analyze the risk associated with malicious external actors breaching the confidentiality of sensitive company data accessible on a lost/stolen mobile device.
  • Model – Factor Analysis of Information Risk (FAIR™) is a standard measurement model, vetted by The Open Group, that’s transparent to any stakeholder in the organization, and including a normalized vocabulary so everyone is on the same page on what they mean by “risk.”

  • Data – FAIR practice teaches multiple, well-established methods to handle issues of data quantity and quality, including applying Monte Carlo functions and expressing measurement results using distributions. “One of the significant advantages of CRQ over qualitative or other forms of risk-related measurements is that it enables the use of these methods to account for uncertainty,” Jack writes in Understanding Cyber Risk Quantification: A Buyer’s Guide.

Quantitative cyber risk analysis enables prioritization among risks, determining the risk reduction ROI of improvements to controls and aggregating multiple risks to understand the organization’s risk posture. 

So, why these questions about clinging to qualitative risk assessments?

Combining Qualitative and Quantitative Cyber Risk Analysis Reporting

Because realistically, moving from qualitative to quantitative can be a cultural change for an organization; the risk team may be eager to move up to quantitative but the management team consuming risk analysis reporting still likes its easy-to-grok High/Medium/Low charts.

In the final post in the blog series, Jack gives the compromise solution, a hybrid approach. The organization should explicitly define ranges in dollar terms for loss exposure, ideally for the annualized figures from FAIR analysis, but at least to sharpen the focus of discussions based on qualitative assessments. The result could look like this, depending on the organization’s size and risk appetite.

Jack Jones - Qualitative Risk Management - High Med Low Ranges in Dollars

Is this combination the goal? Only as a step in the right, quantitative direction. As Jack writes,

“If you go to the trouble of clearly scoping an analysis, applying a clearly defined model, and smartly applying whatever data you have, then the difference in effort between qualitative and quantitative analysis virtually disappears.  In which case, why would anyone want to accept the inherent limitations of qualitative risk measurements?”

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37