What is quantitative Risk Analysis? And what are the different parameters involved in qualitative risk analysis ? what is the difference between quantitative Risk Analysis and qualitative risk analysis?
Risk assessment involves qualitative and quantitative analysis techniques. Quantitative risk analysis results in concrete probability indications or a numeric indication of relative risk potential in an organization. The output of quantitative risk analysis is a report that has dollar figures for levels of risk, potential loss, cost of security controls, and value of safeguards. And it is the act of assigning a quantity or a number to risk, which includes placing a dollar figure or each asset and threat impact. Furthermore, the process of quantitative risk analysis starts with asset valuation and threat identification activities.
A common method to value assets for classification and categorization is to use qualitative and/or quantitative risk analysis.
Difference between quantitative and qualitative risk analysis include the following:
- Employing objective measures and computing a numerical value describes quantitative analysis. Whereas qualitative methodology differs in that measures are based on subjective judgement from evaluators and organizational decision makers such as subject matter experts.
- The purpose of qualitative risk analysis is to assign numeric or monetary values to all elements of the risk analysis process. Whereas qualitative risk analysis does not assign monetary or numeric values to the analysis process. Rather it takes a scenario-based approach to examine the various potential risks.
Parameters of Quantitative risk analysis
- Asset Value (AV): The value of an asset to an organization such as the value of IT asset and its current value, replacement value or maintenance value.
- Exposure Factor (EF): The potential percentage of asset loss caused by the realization of an identified security threat. It also sometimes referred to as Loss Potential.
- Single Loss Expectancy (SLE): The potential loss associate with a single realized security threat against a specific organizational asset.
- Annual Rate of Occurrence (ARO): The expected frequency with which a specific threat or risk will occur within a single year.
- Annualized Loss Expectancy (ALE): The possible yearly loss of all instances of specific realized security threat against a specific asset.