A qualitative risk assessment uses judgment to categorize risks based on probability and impact. Probability is the likelihood that an event will occur, such as the likelihood that a threat will attempt to exploit a vulnerability. Impact is the negative result of the event, such as loss of confidentiality, integrity, or availability of a system or data.
Notice that this is much different from the exact numbers provided by a quantitative assessment that uses monetary figures. You can think of quantitative as using a quantity or a number, whereas qualitative is related to quality, which is often a matter of judgment. You can read about quantitative risk assessments here.
When preparing for security certifications such as CompTIAs Security+ and CASP certifications, and (ISC)2’s SSCP and CISSP certifications, you should have a good understanding of risk assessments including both quantitative and qualitative risk assessments.
A risk assessment, or risk analysis, is an important task in risk management. It quantifies or qualifies risks based on different values or judgments. A risk assessment starts by first identifying assets and asset values. This helps an organization focus on the high-value assets and avoid wasting time on low-value assets.
It then identifies threats and vulnerabilities and determines the likelihood a threat will attempt to exploit a vulnerability. A risk assessment attempts to identify the impact of potential threats and identify the potential harm, and prioritizes risks based on the likelihood and impact. Last, a risk assessment includes recommendations on what controls to implement to mitigate risks.
A risk assessment is a point-in-time assessment, or a snapshot. In other words, it assesses the risks based on current conditions, such as current threats, vulnerabilities, and existing controls. For example, consider a library computer that has up-to-date antivirus protection and cannot access the Internet. Based on these conditions, the risks are low. However, if administrators connect the system to the Internet, or fail to keep the antivirus software up to date, the risk increases.
It’s common to perform risk assessments on new systems or applications. For example, if an organization is considering adding a new service or application that can increase revenue, it will often perform a risk assessment. This helps it determine if the potential risks may offset the potential gains.
Risk assessments use quantitative measurements or qualitative measurements. Quantitative measurements use numbers, such as a monetary figure representing cost and asset values. Qualitative measurements use judgments. Both methods have the same core goal of helping management make educated decisions based on priorities.
A risk assessment, or risk analysis, quantifies or qualifies risks based on different values or judgments. A qualitative risk assessment uses judgment to categorize risks based on probability and impact.
Some qualitative risk assessments use surveys or focus groups. They canvass experts to provide their best judgments and then tabulate the results. For example, a survey may ask the experts to rate the probability and impact of risks associated with a web server selling products on the Internet and a library workstation without Internet access. The experts would use words such as low, medium, and high to rate them.
They could rate the probability of a web server being attacked as high, and if the attack takes the web server out of service, the impact is also high. On the other hand, the probability of a library workstation being attacked is low, and, even though a library patron may be inconvenienced, the impact is also low.
It’s common to assign numbers to these judgments. For example, you can use terms such as low, medium, and high, and assign values of 1, 5, and 10, respectively. The experts assign a probability and impact of each risk using low, medium, and high, and when tabulating the results, you change the words to numbers. This makes it a little easier to calculate the results.
In the web server and library computer examples, you can calculate the risk by multiplying the probability and the impact:
- Web server. High probability and high impact: 10 × 10 = 100.
- Library computer. Low probability and low impact: 1 × 1 = 1.
Management can look at these numbers and easily determine how to allocate resources to protect against the risks. They would allocate more resources to protect the web server than the library computer.
One of the challenges with a qualitative risk assessment is gaining consensus on the probability and impact. Unlike monetary values that you can validate with facts, probability and impact are often subject to debate.
Pass the Security+ exam the first time
Get the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide