Quantitative vs. qualitative information risk assessment
Qualitative information risk assessment is the most commonly used approach to information security risk assessment and uses subjective estimates (e.g. high, medium, low) for likelihood and loss/consequence. When performing information risk assessments, it is recommended that information risks are assessed by more than one person to reduce the subjective element of this approach. A workshop format is often a useful way of bringing those individuals who are most familiar with the information asset and the associated threats and vulnerabilities together to discuss and agree the likelihood and impact of each risk
Quantitative information risk assessment, unlike qualitative information risk assessment, uses numerical values (normally monetary) rather than subjective values (high, medium, low) for risk assessment. Figures are derived for the Single Loss Expectancy (how much the occurrence of a given information risk costs) and Annual Rate of Occurrence (how often a risk will occur per year). From these it is possible to calculate the Annual Loss Expectancy (how much the organisation can expect to lose each year for a given risk). By defining a monetary value for risks and having the historic data to determine the expected frequency, it is not only possible to priorities information risks in order of the financial impact on the organisation, but in combination with an understanding of the costs of your controls and their effectiveness at mitigating risk, it is possible to make some statements about the Return On Security Investment.
Unfortunately, quantitative information risk assessment requires a significant amount of data about information risk impacts and probabilities, which may not be readily available and which are resource intensive to collect. Calculations can be complex and resource intensive and, as a result, professional risk management software is often required for effective analysis. In addition, technology changes so fast that historical data may not be a good source of information about current and future impacts and probabilities.
One possible approach is to use qualitative information risk management by default, and quantitative information risk assessment where it is felt that the benefits provided by the technique outweigh the costs.