0PricingLogin
Security+ Academy · Lesson

Qualitative vs Quantitative Risk Analysis

Compare subjective (High/Medium/Low) and objective (ALE = SLE x ARO) methods for measuring risk and when each is appropriate for business decisions.

Two Approaches to Measuring Risk

Once risks are identified, organizations must decide how much risk they face. Two broad approaches exist: qualitative analysis uses descriptive scales (High, Medium, Low) based on expert judgment, while quantitative analysis uses numerical calculations to express risk in monetary terms. Both approaches have a place in a mature security program — the right choice depends on available data and the decisions being made.

Qualitative Risk Analysis

In qualitative analysis, analysts assign descriptive ratings to likelihood and impact — typically on a 3-level (Low/Medium/High) or 5-level scale. These ratings are combined in a risk matrix to produce an overall risk level. The main advantage is speed and accessibility: no detailed financial data is needed, and stakeholders without accounting backgrounds can participate. The downside is subjectivity — two analysts may rate the same risk differently.

# Qualitative risk matrix example
#             Impact
#          Low  Med  High
Likelihood:
Low      [ L    L    M   ]
Medium   [ L    M    H   ]
High     [ M    H    H   ]

# Example risk entry:
Risk      : Phishing attack leads to credential theft
Likelihood: High
Impact    : High
Rating    : HIGH -> Immediate action required

All lessons in this course

  1. Risk Identification and Risk Register
  2. Qualitative vs Quantitative Risk Analysis
  3. Risk Treatment: Accept, Transfer, Mitigate, Avoid
  4. NIST RMF, ISO 27001, and CIS Controls
← Back to Security+ Academy