An Introduction To
Information, Network and Internet Security

Show table of contentsGlossary

Qualitative Risk Assessment

What differentiates qualitative risk assessment from quantitative risk assessment is that in the former one does not try to assign hard financial values to assets, expected losses, and cost of controls. Instead, one calculates relative values. Risk analysis is usually conducted through a combination of questionnaires and collaborative workshops involving people from a variety of groups within the organization such as:

         information security experts;

         information technology managers and staff;

         business asset owners and users;

         senior management.

If used, questionnaires are typically distributed a few days to a few weeks ahead of the first workshop. The questionnaires are designed to discover what assets and controls are already deployed, and the information gathered can be very helpful during the workshops that follow. In the workshops participants identify assets and estimate their relative values. Next they try to determine what threats each asset may be facing, and then they try to imagine what types of vulnerabilities those threats might exploit in the future.

The information security experts and the system administrators typically come up with controls to mitigate the risks for the group to consider and the approximate cost of each control. Finally, the results are presented to management for consideration during a cost-benefit analysis.

As can be seen, the basic process for qualitative assessments is very similar to what happens in the quantitative approach. The difference is in the details. Comparisons between the value of one asset and another are relative, and participants do not invest a lot of time trying to calculate precise financial numbers for asset valuation. The same is true for calculating the possible impact from a risk being realized and the cost of implementing controls.

The benefits of a qualitative approach are that it overcomes the challenge of calculating accurate figures for asset value, cost of control, and so on, and the process is much less demanding on staff. Qualitative risk management projects can typically start to show significant results within a few weeks, whereas most organizations that choose a quantitative approach see little benefit for months, and sometimes even years, of effort. The drawback of a qualitative approach is that the resulting figures are vague and some decision makers, especially those with finance or accounting backgrounds, may not be comfortable with the relative values determined during a qualitative risk assessment project.

The Security Practitioner

An Introduction to Information Security