Page050

Quantitative and Qualitative Risk Analysis

Quantitative and Qualitative Risk Analysis are two methods for analyzing risk. Quantitative Risk Analysis uses hard metrics, such as dollars. Qualitative Risk Analysis uses simple approximate values. Quantitative is more objective; qualitative is more subjective. Hybrid Risk Analysis combines the two: using quantitative analysis for risks which may be easily expressed in hard numbers such as money, and qualitative for the remainder.

Exam Warning

Quantitative Risk Analysis requires you to calculate the quantity of the asset you are protecting. Quantitative-quantity is a hint to remember this for the exam.

Calculating the Annualized Loss Expectancy (ALE) is an example of Quantitative Risk Analysis. The inputs for ALE are hard numbers: Asset Value (in dollars), Exposure Factor (as a percentage), and Annual Rate of Occurrence (as a hard number).

The Risk Analysis Matrix (shown previously in [Table 2.4]) is an example of Qualitative Risk Analysis. Likelihood and Consequences are rough (and sometimes subjective) values, ranging from 1 to 5. Whether the consequences of a certain risk are a “4” or a “5” can be a matter of (subjective) debate.

Quantitative Risk Analysis is more difficult; to quantitatively analyze the risk of damage to a data center due to an earthquake, you would need to calculate the asset value of the data center: the cost of the building, the servers, network equipment, computer racks, monitors, etc. Then calculate the Exposure Factor, and so on.

To qualitatively analyze the same risk, you would research the risk, and agree that the likelihood is a 2, and the consequences are a 4, and use the Risk Analysis Matrix to determine a risk of “high.”