Skip to main content


Risk Assessment: Qualitative vs Quantitative

Risk Assessment: Qualitative vs Quantitative

Risk Assessment Methodologies

Risk assessment and analysis is a nebulous process. Unless one has studied risk and the math that goes along with it, one might not know where to start when told by regulation that a risk analysis must be performed. SBS recently posted a great article on how to perform a quantitative risk assessment and a few different ways to develop an IT Risk Assessment that can help you to make better decisions. Quantitative risk assessment of your IT environment is a must for higher security maturity models to be achieved. It is also a must if your organization wants to take risk management of IT seriously. However, there are times where you need to measure your risk based on a set of regulatory controls. The quantitative method is not suitable for this type of risk calculation. Instead, risk assessors use a more qualitative method.


What Does “Qualitative Risk Assessment” Mean?

Qualitative risk assessment is studying an event, or regulatory control in this case, and understanding the quality of its implementation. In the background of this type of risk assessment, decisions have already been made about the impact to the organization if the control is not implemented and the probability that the control will need to be exercised. As an example, our TRAC Tool performs qualitative risk assessment in our ISP module to give the user an idea of how well the institution’s Information Security Program has been implemented based on a pre-defined standard of security controls.


When to Use Qualitative Measurement

Qualitative risk assessment excels at giving the risk assessor and the risk manager information about how well the control is currently implemented. For instance, on a scale from 1 to 5, a “1” rating might mean that the control hasn’t been considered by the organization. A “2” might mean that the control has been considered but not implemented. A “3” might mean the control has a process implemented by the organization but is not formalized and documented. A “4” might mean the control is formalized but not documented. Finally, a “5” means the control is fully implemented, formalized, and documented.

Using the qualitative method of risk assessment, you can evaluate your institution based on a particular standard or piece of guidance. You can break the standard you’re utilizing down into sections or categories, outline the controls that the standard recommends you implement, rate your specific implementation of those controls (on the 1 to 5 scale mentioned above), then determine the control-implementation percentage for each section. Calculate the control-implementation percentage by adding up the total of your ratings in that section, then dividing by the total possible rating-number (in the case of a 1 to 5 scale, 5 being the total number of controls evaluated).


Final Thoughts

Ultimately, the risk assessment methodology you use should depend on what you are trying to measure and what outcomes you’d like to see from that measurement. A quantitative risk assessment focuses on measurable and often pre-defined data, whereas a qualitative risk assessment is based more so on subjectivity and the knowledge of the assessor. A quantitative risk management methodology is best suited for a detailed look at comparing like-things across your organization, while a quantitative risk assessment is best for evaluating the implementation of a framework that does not inherently have pre-defined values. In many cases, you can combine the two methodologies to enhance an existing risk assessment. Knowing which methodology to use in various situations could mean the failure or the success of your risk management program.

Written by: Buzz Hillestad
Senior Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

  • For a better IT Risk Assessment, look no further than the TRAC risk management solution. TRAC’s IT Risk Assessment module allows you to perform a quantifiable and measurable asset-based risk assessment much more efficiently than using a spreadsheet. TRAC is powered by predefined, industry-specific data that helps you know your risk assessment is correct and allows you to make better security decisions.
  • {Article} How to Build a Better IT Risk Assessment: A comprehensive, measurable, and repeatable IT Risk Assessment should be used to help an organization make better decisions. Without a detailed framework, any money spent on information security is akin to throwing darts at a board. Read more.
  • {Cyber Byte Video} IT Risk Assessment: This video will cover what the goal of an IT Risk Assessment should be, how it is used to build a strong foundation for your ISP, and steps you can take to go beyond checking boxes off a list. Watch video.


Related Certifications

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Manager Professional   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, January 4, 2018
Categories: Blog