- Home
- Training Library
- Risk management life cycle and treatment [CISMP]
Qualitative and quantitative methods
Contents
Agent Smith
The risk life cycle: Identify, Analyse, Treat and Monitor
The course is part of this learning path
Qualitative and quantitative methods
In this article, you're going to be looking at qualitative, quantitative and semi-quantitative analysis as a means of gauging risk, which will help us judge a risk's size and urgency.
Let us first look at the two broad types of analysis: qualitative and quantitative.
Definitions
Qualitative analysis fundamentally means to measure something by its quality rather than quantity. It's linguistic and non-mathematical. Qualitative analysis is an educated guess that’s modelled with a rating system such as low, medium and high probability. One of the best examples of an educated guess was made by Michael J. Burry regarding the subprime mortgage crisis. Based on his knowledge and expertise, he analysed data and saw the potential crisis emerging.
Quantitative analysis is the opposite; to measure by quantity rather than quality. It's mathematical rather than linguistic. Quantitative analysis is the process of applying mathematical and statistical tools to present complex situations in terms of a numerical value. Quantitative analysts focus on numbers, statistics, data, and percentages. As a result, quantitative analysis often involves collecting, evaluating, and analysing large volumes of data, to identify patterns or trends. Through recognising trends in data, analysts can forecast future outcomes, behaviours and trends, and use these assessments to make well-informed business decisions.
Examples of quantitative analysis
There are a variety of methods and tools adopted in quantitative analysis. To build a numerical interpretation of a given situation, analysts often collect and assess historical data. Some examples of quantitative analysis include:
- Historical financial reports
- Random sampling
- Large scale datasets (for example, car insurance claims for break ins in a specific area)
- Tracking software (for example, advertising and customer relationship management software)
- Analytics gathered by machines
Quantitative analysis
Quantitative risk analysis begins by calculating the Single Loss Expectancy (SLE) - see Figure 1: SLE - which is the actual monetary cost of a single incident. This is the Asset Value (AV) multiplied by the Exposure Factor (EF). The EF is the fraction or percentage which specifies how much of the asset value is lost. Organisations will often simply set this to a value of 1 or 100% to assume that all the value is lost.
So, looking at the single loss expectancy (SLE), it contains information about the potential loss when a threat occurs (expressed in monetary values). It’s calculated as follows: SLE = AV x EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as percentage value). SLE is £30,000 in our example, when EF is estimated to be 0.3.
Figure 1:SLE: Single loss expectancy
Figure 2: ALE: Annualised loss expectancy
The annualised loss expectancy
The annualised loss expectancy (ALE) - Figure 2: ALE - is the estimated cost of the risk for the year. This is calculated by multiplying the SLE by the estimated Annual Rate of Occurrence (ARO). Annualised rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. So, ALE is calculated as follows: ALE = SLE x ARO. ALE is £7,500 (£30,000 x 0.25), when ARO is estimated to be 0.25 (once in four years).
As we can see, the risk is about the impact of the vulnerability on the business and the probability of the vulnerability to be exploited.
This allows the cost of mitigating the risk to be compared with the cost of accepting it. However, for the calculations to have any value, the data used in them must be accurate.
Many organisations have insufficient or inaccurate information, so this method is not widely used.
Qualitative analysis
Qualitative analysis uses subjective judgment based on ‘soft’ or non-quantifiable data.
Typically, a risk matrix would be Impact over Likelihood 3x3 (low, medium and high) or 5x5, Likelihood (rare, unlikely, possible, likely, and almost certain) x Consequence (insignificant, negligible, moderate, extensive, and significant). This is illustrated in Figure 3.
This analysis enables risks to be prioritised but remains more intuitive than a quantitative analysis.
Semi-quantitative analysis
The semi-quantitative method shown in Figure 4 assigns numeric values for impact and likelihood. It then enables a value to be assigned to the risk by multiplying the associated numbers.
Risk table
Examples of risk register entries, together with the appropriate impact, likelihood, and risk levels identified are illustrated below in Figures 5-7.
You can see in the first Risk Table the use of the qualitative method to evaluate the risk following the exposure of the website's development environment. You will notice that while the Likelihood and Risk are medium, the Impact is low. In examples 2 and 3, the issues lead to an assessment where the Likelihood is medium, but Risk and Impact are high. At-a-glance, these are useful indicators of risk.
What’s next?
Now that you’ve looked at quantifying risk, in the next article you’re going to explore risk treatment.
In this course, you'll be examining the risk management life cycle and treatment, you'll learn about qualitative and quantitative methods as well as risk register and asset classification.
A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.