Time ran out before Jack could answer but a blog post series on qualitative vs quantitative he wrote settles the questions.
First, the basics – what’s the difference between quantitative and qualitative risk analysis?
As Jack writes, they both have
But in qualitative measurement, those three elements are derived from the mental model, lived experience, gut feeling, educated guess or other highly personal – and undefined -- processes the risk analyst used to arrive at a High, Medium or Low rating. “It’s crazy to think results will be reliable or consistent,” based on those inputs, Jack writes.
In contrast, quantitative risk measurement following the methodology of FAIR™ (Factor Analysis of Information Risk) clearly defines:
Quantitative cyber risk analysis enables prioritization among risks, determining the risk reduction ROI of improvements to controls and aggregating multiple risks to understand the organization’s risk posture.
So, why these questions about clinging to qualitative risk assessments?
Because realistically, moving from qualitative to quantitative can be a cultural change for an organization; the risk team may be eager to move up to quantitative but the management team consuming risk analysis reporting still likes its easy-to-grok High/Medium/Low charts.
In the final post in the blog series, Jack gives the compromise solution, a hybrid approach. The organization should explicitly define ranges in dollar terms for loss exposure, ideally for the annualized figures from FAIR analysis, but at least to sharpen the focus of discussions based on qualitative assessments. The result could look like this, depending on the organization’s size and risk appetite.
“If you go to the trouble of clearly scoping an analysis, applying a clearly defined model, and smartly applying whatever data you have, then the difference in effort between qualitative and quantitative analysis virtually disappears. In which case, why would anyone want to accept the inherent limitations of qualitative risk measurements?”