The Pitfalls of Mixing and Matching Risk Models

Using qualitative and quantitative methods to assess risk

A 2015 Open Group survey collected data about information risk programs from over 100 organizations. One important insight was that more than half of all surveyed organizations used a combination of both qualitative and quantitative methods for their risk analyses.

In 2014, Gartner conducted research comparing various methodologies for IT risk assessment and analysis (Report ID G00256964). From this research, they found that many organizations have a similar two-tier approach to risk analysis.

I see a similar theme among successful information risk programs, based on my own experience as a FAIR practitioner.  

Bottom line: when designing a risk management program, “one size doesn’t fit all”. It is common to see different analysis approaches within the same risk assessments programs.


  • Organizations often employ a light and rapid process of evaluating policy exception requests. These types of light risk assessments (commonly referred to as “triage”) are performed in less than 30 minutes. More often than not, they are also more qualitative in nature (based on ordinal scales).
  • However, it may not be appropriate to use that same light process when prioritizing security investments or analyzing top security concerns for presentation to a risk advisory committee or the board. Here, we advocate for a more rigorous form of assessment that is fully quantitative.

Risk teams are often limited in their resources and time. Successful programs need to prioritize their efforts and focus on the assessments that are more meaningful to the organization. 



Problems often arise when these different analysis methods are based on different risk models. When this occurs, a team may unintentionally re-define what risk is within their own program or, at a minimum, suffer issues with consistency in reporting and communication.

The good news is that this can very easily be avoided using Factor Analysis of Information Risk (FAIR). FAIR, at its heart, is an ontology; an accurate model of risk. We can use it both qualitatively and quantitatively, and within both forms with different levels of granularity and precision.

So go forth and design efficient and effective risk management programs with FAIR as the foundation. 


  1. Successful information risk programs often employ more than one risk analysis method (qualitative or quantitative) within their risk analysis program.
  2. Often an initial “triage” of a risk scenario can rapidly determine its relative significance in terms of loss exposure.
  3. A detailed and rigorous quantitative analysis should be performed when the assessment is informing either decision-making or key stakeholders.

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37