6.2.2. Risk Analysis: Qualitative and Quantitative

💡 First Principle: Risk analysis answers two questions: "how likely is this?" and "how bad would it be?" Qualitative analysis uses categories (high/medium/low); quantitative analysis uses numbers (dollars, percentages). Both are valid — qualitative is faster and simpler; quantitative is more precise but requires reliable data.

Qualitative analysis assigns descriptive ratings to likelihood and impact. A risk matrix plots risks on a grid:

Quantitative analysis calculates risk in financial terms:

• Asset Value (AV) — what is the asset worth? ($500,000 server)
• Exposure Factor (EF) — what percentage would be damaged? (40% = 0.4)
• Single Loss Expectancy (SLE) — AV × EF = damage per incident ($500,000 × 0.4 = $200,000)
• Annualized Rate of Occurrence (ARO) — how often per year? (0.5 = once every 2 years)
• Annualized Loss Expectancy (ALE) — SLE × ARO = expected annual cost ($200,000 × 0.5 = $100,000/year)

ALE is the key number: it tells you the maximum you should spend on controls to mitigate this risk. If ALE is $100,000, spending $150,000 on prevention isn't cost-effective.

When to use which: Qualitative analysis works when you lack precise financial data or need a quick initial assessment — it's faster but subjective. Quantitative analysis provides objective, dollar-based decisions but requires accurate asset valuations and historical incident data. Most organizations use qualitative for initial triage, then apply quantitative analysis to the highest-risk items that justify the effort.

⚠️ Exam Trap: Memorize the formulas: SLE = AV × EF. ALE = SLE × ARO. The exam will give you numbers and ask you to calculate. A question might say: "A server worth $200,000 has a 25% exposure factor and faces a threat that occurs twice per year. What is the ALE?" Answer: SLE = $200,000 × 0.25 = $50,000. ALE = $50,000 × 2 = $100,000.