What is quantitative Risk Analysis? And what are the different parameters involved in qualitative risk analysis ? what is the difference between quantitative Risk Analysis and qualitative risk analysis?
Risk analysis can be categorized as quantitative, qualitative or a hybrid of the two. Quantitative risk analysis assigns numeric values or dollar figures to the loss of organizational asset and is based on mathematical calculations. Qualitative risk analysis, on the other hand, assigns subjective and intangible values to the loss of an asset takes into account perspectives, preferences, feelings, ideas, and intuition of individual experts or groups. Furthermore, the purpose of risk assessment in general is to identify possible risks and rank them in order of severity.
The quantitative risk analysis results in concrete likelihood indications or a numeric indication of relative risk potential in an organization. The result of quantitative risk analysis is a report that has dollar figures for levels of risk, potential loss due to the risk, cost of countermeasures, and value of safeguards organizations employ to protect their assets. Quantitative risk analysis is the act of assigning a quantitative value to risk such as placing a dollar figure on each asset and threat consequence.
Risk assessment involves qualitative and quantitative analysis techniques. Quantitative risk analysis results in concrete probability indications or a numeric indication of relative risk potential in an organization. The output of quantitative risk analysis is a report that has dollar figures for levels of risk, potential loss, cost of security controls, and value of safeguards. And it is the act of assigning a quantity or a number to risk, which includes placing a dollar figure or each asset and threat impact. Furthermore, the process of quantitative risk analysis starts with asset valuation and threat identification activities.
A common method to value assets for classification and categorization is to use qualitative and/or quantitative risk analysis.
Difference between quantitative and qualitative risk analysis include the following:
- Employing objective measures and computing a numerical value describes quantitative analysis. Whereas qualitative methodology differs in that measures are based on subjective judgement from evaluators and organizational decision makers such as subject matter experts.
- The purpose of qualitative risk analysis is to assign numeric or monetary values to all elements of the risk analysis process. Whereas qualitative risk analysis does not assign monetary or numeric values to the analysis process. Rather it takes a scenario-based approach to examine the various potential risks.
Parameters of Quantitative risk analysis
- Asset Value (AV): The value of an asset to an organization such as the value of IT asset and its current value, replacement value or maintenance value.
- Exposure Factor (EF): The potential percentage of asset loss caused by the realization of an identified security threat. It also sometimes referred to as Loss Potential.
- Single Loss Expectancy (SLE): The potential loss associate with a single realized security threat against a specific organizational asset.
- Annual Rate of Occurrence (ARO): The expected frequency with which a specific threat or risk will occur within a single year.
- Annualized Loss Expectancy (ALE): The possible yearly loss of all instances of specific realized security threat against a specific asset.