Quiz Entry - updated: 2026.07.14
What are the main pros and cons of qualitative risk analysis — and why does it remain so popular despite the criticisms?
Pros: fast, low data needs, communicates well to management. Cons: subjective, tends to "all yellow", and isn't reproducible.
| Vorteile (pros) | Nachteile (cons) |
|---|---|
| Übersichtlich (visually clear) | Tendency toward "everything yellow" — middle anchoring |
| Relatively fast to do | Tendency to follow "best practices" instead of critical thinking |
| Excellent for first-pass estimation and management communication | Heavily dependent on assessor experience |
| Low data requirements | No easy quantitative output; reproducibility is poor |
| Helps prioritise mitigations | Results hard to defend or repeat across teams |
Why it dominates anyway:
- Cyber rarely has the data quantitative methods need.
- The audience is non-quant. Boards, regulators, and many CISOs want a colour, not a histogram.
- Compliance frameworks (ISO 27001, NIST CSF) accept qualitative output.
The pragmatic answer: do qualitative for breadth (all assets, fast), then quantitative + FAIR for the top 10-20 risks where colour isn't enough to justify CHF spend.