ELI5: What is Qualitative vs. Quantitative Analysis?
Qualitative says “this risk is high.” Quantitative says “this risk could cost us $50,000 a year.” One uses words and categories; the other uses math and dollar amounts. Both help you decide what to fix first.
Definition
Risk analysis can be performed qualitatively (using descriptive categories to rate risk) or quantitatively (using numerical values to calculate risk in financial terms). Qualitative analysis uses expert judgment and scales (High/Medium/Low) and is faster and more accessible. Quantitative analysis uses formulas — Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO), and Annual Loss Expectancy (ALE) — to express risk in dollar amounts, enabling cost-benefit analysis of security controls.
Key Details
- SLE (Single Loss Expectancy) = Asset Value × Exposure Factor (the expected loss from a single incident)
- ARO (Annual Rate of Occurrence) = expected frequency of a threat occurring per year (e.g., 0.5 = once every 2 years)
- ALE (Annual Loss Expectancy) = SLE × ARO (the expected annual financial loss from a given risk)
- If the cost of a control < ALE, the control is cost-justified
- Qualitative is used for initial prioritization; quantitative provides the business case for control investment
Connections
- Parent: risk-management — both analysis approaches inform risk treatment decisions
- See also: qualitative-risk-assessment
- See also: quantitative-risk-assessment