LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the main pros and cons of qualitative risk analysis — and why does it remain so popular despite the criticisms?

Pros: fast, low data needs, communicates well to management. Cons: subjective, tends to "all yellow", and isn't reproducible.

Vorteile (pros) Nachteile (cons)
Übersichtlich (visually clear) Tendency toward "everything yellow" — middle anchoring
Relatively fast to do Tendency to follow "best practices" instead of critical thinking
Excellent for first-pass estimation and management communication Heavily dependent on assessor experience
Low data requirements No easy quantitative output; reproducibility is poor
Helps prioritise mitigations Results hard to defend or repeat across teams

Why it dominates anyway:

  • Cyber rarely has the data quantitative methods need.
  • The audience is non-quant. Boards, regulators, and many CISOs want a colour, not a histogram.
  • Compliance frameworks (ISO 27001, NIST CSF) accept qualitative output.

The pragmatic answer: do qualitative for breadth (all assets, fast), then quantitative + FAIR for the top 10-20 risks where colour isn't enough to justify CHF spend.

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026