LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the difference between quantitative and qualitative risk analysis, and when do you use each?

Quantitative = numbers in CHF and probabilities. Qualitative = scale labels like "low / medium / high". The first is rigorous but data-hungry; the second is quick but subjective.

Quantitative Qualitative
Outputs "CHF 200k expected annual loss", "12% probability" "Likelihood: Possible, Impact: Major → Med-Hi"
Inputs Monetary asset value, exact loss frequency Multi-step scale ratings (e.g. 4 on a 5-point scale)
Data demand High — needs historical data or simulation Low — relies on expert judgement
Best for Insurance, board-level investment cases, known repeating events (natural catastrophes) First passes, novel risks, communication with non-technical stakeholders

Why it's a spectrum, not a binary:

  • Pure quantitative is rarely achievable for cyber — you usually don't have enough incident data to estimate frequencies precisely.
  • Modern frameworks like FAIR (Factor Analysis of Information Risk) bridge the two: expert estimates feed PERT distributions, then Monte-Carlo simulation produces quantitative outputs anyway.

Tip: Lord Kelvin's "If you cannot measure it, you cannot improve it" is the spiritual argument for quantification — but in cyber, even a rough number beats a colour.

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026