1. Home
  2. Training Library
  3. Risk management life cycle and treatment [CISMP]

Qualitative and quantitative methods

Qualitative and quantitative methods

In this article, you're going to be looking at qualitative, quantitative and semi-quantitative analysis as a means of gauging risk, which will help us judge a risk's size and urgency.

Let us first look at the two broad types of analysis: qualitative and quantitative. 


Qualitative analysis fundamentally means to measure something by its quality rather than quantity. It's linguistic and non-mathematical. Qualitative analysis is an educated guess that’s modelled with a rating system such as low, medium and high probability. One of the best examples of an educated guess was made by Michael J. Burry regarding the subprime mortgage crisis. Based on his knowledge and expertise, he analysed data and saw the potential crisis emerging. 

Quantitative analysis is the opposite; to measure by quantity rather than quality. It's mathematical rather than linguistic. Quantitative analysis is the process of applying mathematical and statistical tools to present complex situations in terms of a numerical value. Quantitative analysts focus on numbers, statistics, data, and percentages. As a result, quantitative analysis often involves collecting, evaluating, and analysing large volumes of data, to identify patterns or trends. Through recognising trends in data, analysts can forecast future outcomes, behaviours and trends, and use these assessments to make well-informed business decisions.  

Examples of quantitative analysis 

There are a variety of methods and tools adopted in quantitative analysis. To build a numerical interpretation of a given situation, analysts often collect and assess historical data. Some examples of quantitative analysis include: 

  • Historical financial reports 
  • Random sampling 
  • Large scale datasets (for example, car insurance claims for break ins in a specific area) 
  • Tracking software (for example, advertising and customer relationship management software) 
  • Analytics gathered by machines 

Quantitative analysis

Quantitative risk analysis begins by calculating the Single Loss Expectancy (SLE) - see Figure 1: SLE - which is the actual monetary cost of a single incident. This is the Asset Value (AV) multiplied by the Exposure Factor (EF). The EF is the fraction or percentage which specifies how much of the asset value is lost. Organisations will often simply set this to a value of 1 or 100% to assume that all the value is lost.

So, looking at the single loss expectancy (SLE), it contains information about the potential loss when a threat occurs (expressed in monetary values). It’s calculated as follows: SLE = AV x EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as percentage value). SLE is £30,000 in our example, when EF is estimated to be 0.3.

Decorative Image: EF x AV = SLE

Figure 1:SLE: Single loss expectancy

Decorative image: ARO x SLE = ALE

Figure 2: ALE: Annualised loss expectancy

The annualised loss expectancy

The annualised loss expectancy (ALE) - Figure 2: ALE - is the estimated cost of the risk for the year. This is calculated by multiplying the SLE by the estimated Annual Rate of Occurrence (ARO). Annualised rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. So, ALE is calculated as follows: ALE = SLE x ARO. ALE is £7,500 (£30,000 x 0.25), when ARO is estimated to be 0.25 (once in four years).

As we can see, the risk is about the impact of the vulnerability on the business and the probability of the vulnerability to be exploited.

This allows the cost of mitigating the risk to be compared with the cost of accepting it. However, for the calculations to have any value, the data used in them must be accurate. 

Many organisations have insufficient or inaccurate information, so this method is not widely used.

Qualitative analysis

Qualitative analysis uses subjective judgment based on ‘soft’ or non-quantifiable data. 

Typically, a risk matrix would be Impact over Likelihood 3x3 (low, medium and high) or 5x5, Likelihood (rare, unlikely, possible, likely, and almost certain) x Consequence (insignificant, negligible, moderate, extensive, and significant). This is illustrated in Figure 3. 

This analysis enables risks to be prioritised but remains more intuitive than a quantitative analysis. 

Decorative image: Qualitative analysis: coloured matrix with Impact on y-axis and Likelihood on x-axis. Each with High medium and low possibilities. Coloured boxes indicate risk level

Semi-quantitative analysis 

The semi-quantitative method shown in Figure 4 assigns numeric values for impact and likelihood. It then enables a value to be assigned to the risk by multiplying the associated numbers. 

Decorative image: A table showing Semi-quantitative analysis, coloured matrix with Impact on y-axis and Likelihood on x-axis. Each with 1,2 and 3 as readings. Coloured boxes indicate risk level

Risk table

Examples of risk register entries, together with the appropriate impact, likelihood, and risk levels identified are illustrated below in Figures 5-7.

You can see in the first Risk Table the use of the qualitative method to evaluate the risk following the exposure of the website's development environment. You will notice that while the Likelihood and Risk are medium, the Impact is low. In examples 2 and 3, the issues lead to an assessment where the Likelihood is medium, but Risk and Impact are high. At-a-glance, these are useful indicators of risk. 

Decorative image: Table 1, Example 1, A table showing risk:Issue,Threat,Impact,Likelihood and Risk; The website's development environment was revealed within the HTML meta tags; Threat: This enables an attacker to understand the development environment and provides opportunities for attacks against client side software as well as social engineering;

Decorative Image: Risk table 2, Example 2: A table showing risk :Issue,Threat,Impact,Likelihood and Risk; Issue: Business continuity plans are not being tested. Threat: Should a disaster occur it is likely that the business continuity plans will not be instigated without major problems and the company may not be able to function for a period of time

Decorative image: Risk table 3. Example 3 A table showing risk :Issue,Threat,Impact,Likelihood and Risk; Issue:No segregation of duties has been implemented. Threat: Administrators can perform unauthorised activities without detection, including corrupting the system and stealing sensitive company information

What’s next?

Now that you’ve looked at quantifying risk, in the next article you’re going to explore risk treatment.


In this course, you'll be examining the risk management life cycle and treatment, you'll learn about qualitative and quantitative methods as well as risk register and asset classification.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.