Benefits

Risks are prioritized by financial impact; assets are prioritized by financial values.

Results facilitate management of risk by return on security investment.

Results can be expressed in management-specific terminology (e.g., monetary values and probability expressed as a specific percentage).

Accuracy tends to increase over time as the organization builds historic record of data while gaining experience.

Enables visibility and understanding of risk ranking.

Easier to reach consensus.

Not necessary to quantify threat frequency.

Not necessary to determine financial values of assets.

Easier to involve people who are not experts on security or computers.

Drawbacks

Impact values assigned to risks are based on subjective opinions of participants.

Process to reach credible results and consensus is very time consuming.

Calculations can be complex and time consuming.

Results are presented in monetary terms only, and they may be difficult for non-technical people to interpret.

Process requires expertise, so participants cannot be easily coached through it.

Insufficient differentiation between important risks.

Difficult to justify investing in control implementation because there is no basis for a cost-benefit analysis.

Results are dependent upon the quality of the risk management team that is created.