Quiz Entry - updated: 2026.07.14
What's the difference between quantitative and qualitative risk analysis, and when do you use each?
Quantitative = numbers in CHF and probabilities. Qualitative = scale labels like "low / medium / high". The first is rigorous but data-hungry; the second is quick but subjective.
| Quantitative | Qualitative | |
|---|---|---|
| Outputs | "CHF 200k expected annual loss", "12% probability" | "Likelihood: Possible, Impact: Major → Med-Hi" |
| Inputs | Monetary asset value, exact loss frequency | Multi-step scale ratings (e.g. 4 on a 5-point scale) |
| Data demand | High — needs historical data or simulation | Low — relies on expert judgement |
| Best for | Insurance, board-level investment cases, known repeating events (natural catastrophes) | First passes, novel risks, communication with non-technical stakeholders |
Why it's a spectrum, not a binary:
- Pure quantitative is rarely achievable for cyber — you usually don't have enough incident data to estimate frequencies precisely.
- Modern frameworks like FAIR (Factor Analysis of Information Risk) bridge the two: expert estimates feed PERT distributions, then Monte-Carlo simulation produces quantitative outputs anyway.
Tip: Lord Kelvin's "If you cannot measure it, you cannot improve it" is the spiritual argument for quantification — but in cyber, even a rough number beats a colour.