Qualitative vs. Quantitative information security risk assessment methodologies

When researching risk assessment methodologies for carrying out an information security risk assessment you will no doubt be confronted by two terms – Qualitative and Quantitative. Then you may be wondering ‘what should I do now?’

So which is best? And does it matter? And what is the difference between them?

To answer these questions we should start by defining what they are.

‘Qualitative’ – means “involving distinctions or involving comparisons based on qualities”

‘Quantitative’ – means “that is or may be estimated by quantity”.

So ‘Qualitative’ means based on quality or merit, intrinsic worth or virtue. ‘Quantitative’ means based on quantity or amount, size or number.

Think of ice cream- we might judge various vanilla ice creams as being ‘inedible’, ‘tasty’ or ‘moreish’. That would be a qualitative measure. We could put a number against it and say that inedible=1, tasty=2, moreish=3. Then we ask 100 people to taste our ice creams and rank them either a 1, 2 or 3. Now we have quantity so we have ‘Quantitative’ data.

Does it make any difference?

Well it does if we want to be ‘scientific’ in our approach to risk assessment. We want to be scientific because the more scientific we can be the more reproducible will be our approach. The ISO 27001 standard encourages us to be consistent as “The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results (ISO 27001:2013 sec 4.2.1 (c) 2)”.

So the more scientific our approach is the better it suits the standard and the more comparable and reproducible it is.

Assessing a risk as ‘High’ does not have the impact as saying it is 9 on a scale of 1 to 9 although the meaning might be the same.

Beaufort realised this. He defined a scale for wind conditions which has been refined over the years. This scale extends from ‘Calm’ to ‘Hurricane’. These ‘Qualitative’ measures have been compounded by ‘Quantitative’ numbers 1 to 12 which also have corresponding wind speed values. This turns a subjectively judged scale into an objectively assessed scientific scale. We can thus compare one ‘hurricane force’ storm with another.

When you are thinking about risk methodologies then making them quantitative has many advantages over the simple qualitative approach. It tends to be more reproducible and therefore makes it easier to compare past and present risk assessments. It also tends to give more consistent results by removing an element of subjectivity.

Qualitative assessments are easier to do but as they are more subjective they tend to be less reproducible, certainly over time.

In truth, and pragmatically, we use a mix of both methods.

Very often we use a qualitative approach to identify key risks. We then use a quantitative approach to determine the actual risk with a qualitative view of the risk once it has been mitigated.

Does it matter? As far as ISO 27001 is concerned not really, so long as you define your approach and stick to it – that is all that really matters.

Still confused? Why not contact our experts at Vigilant Software on 0845 070 1750 or via email servicecentre@itgovernance.co.uk.

Share now…

Share on Twitter Share on Facebook Share on LinkedIn