Qualitative vs Quantitative Cyber Risk Assessment: When to Use Each Approach?

Risk Assessments in the Past: Simple to Use, But with Limited Value

The starting point for cyber risk assessment is usually a “Qualitative” cyber risk assessment approach. This approach classifies risks with relative levels for the impact an likelihood, for example High Medium Low, or Red Amber Green. Assessment of risks using a Qualitative approach is usually based on subject matter judgement of these categories rather than calculations.  

Qualitative approaches for cyber risk assessment have been used for many years, as they are simple to set up and explain, cheap to implement (typically in a simple spreadsheet), and provide a view of risks that enables decision makers to identify priorities.  

However there are two significant limitations to such a basic Qualitative approach:

• Inconsistent: differing stakeholders may interpret high, medium and low differently, meaning that different people rate the same risk differently.  

• Imprecise: it is not always clear what “high” impact or a “red” risk means in business terms  

Over time, practitioners have taken steps to address these limitations, while keeping the benefits of Qualitative approaches.  

Risk Assessments Today: Consistent Execution, But Still Room for Improvement  

The basic Qualitative approach can be enhanced by assigning ranges to the different categories. This is sometimes called a “semi-quantitative” approach. For example, you could say that a low impact corresponds to less than $100k, medium to less than $1m and high impact to more than $1m. Risk assessors can then make consistent estimates by referencing these impact levels. Similar references can be defined for the likelihood of occurrence (e.g. low likelihood corresponds to an event that happens less than once a year, medium to one time per year, high to multiple times per year).  

These reference tables also make it easier for risk assessors to be more objective in their risk assessments – evidence can be provided to show that an incident may cost a certain amount, or the frequency of incidents can be estimated from historic data. This isn’t foolproof though; there might be scant data to base the analysis on. While these semi-quantitative approaches are a big step forward to consistent and data backed risk assessments, there are however still weaknesses:  

• Ranges hide specifics: comparing two risks in the same category can be difficult. From our example above, the impact of one high impact risk could be $1.5m, and a second could be $500m, but they are both rated the same.  

• Challenging for strategic decision making: while risks can be compared and prioritized, it is difficult to strategically steer investment into mitigation and risk monitoring. Defining risk tolerance in terms of “number of red risks” or similar offers limited guidance for a board to oversee (how many red risks should we tolerate?!), and for a CISO to make a case for investment. At the strategic level reporting risks in financial terms is critical.  

The Future of Cyber Risk Assessments: Quantitative Approaches (Where It Makes Sense)

In contrast to Qualitative approaches, a Quantitative cyber risk assessment provides the financial values of risk impacts and statistical probabilities, using objective quantifiable inputs, and statistical calculations.

Quantitative assessments can provide significant benefits:  

• Business language: the financial detail helps translate technical cyber risks into business friendly language making it easier to compare cyber with other risk categories;  

• Risk management at the strategic level: financial outputs enable top management and boards to better understand the company’s risk exposure and put investment decisions into a risk management context.  

Quantitative risk assessment approaches are not without their challenges however. They can be seen as time consuming, requiring additional expertise in mathematics, and the data used for input and outputs can be both challenging to obtain and met with scepticism once obtained. Understanding the advantages and disadvantages of Qualitative and Quantitative approaches enables a risk management professional to choose the best approach for the risk assessment use case.  

Common Cyber Risk Assessment Use Cases, and When Can a Quantitative Approach Be Best Used

Cyber risk assessments can be used for a variety of purposes, and with a variety of audiences. These can range from company-wide assessments looking at the overall risk position, to detailed risk assessments looking at specific changes within an individual system.  

The table below gives some examples and consideres how well suited qualitative and quantitative approaches are for each:

How to Introduce Quantitative Risk Assessment Approaches, Alongside Existing Qualitative Frameworks

If you already have a company-wide risk assessment framework it can be difficult to make a case for changing it. The risk assessment framework is likely a core part of the information security management system, and it may be part of regulatory reporting. Introducing a new approach is a big step.  

For companies in such a situation that nonetheless want to explore cyber risk quantification we recommend the following:  

• Start small and from the top down: choose a business division, or a single company within a corporate group and prepare a division/company-wide quantified assessment. This can show the strengths of CRQ to senior stakeholders, and generate enthusiasm and commitment for wider use. Avoid starting bottom-up with individual systems as this can lead to difficulties in gathering appropriate data for quantification.  

• Quantify in parallel to your current approach: the existing risk assessment framework can continue to operate while CRQ is being explored, and indeed afterwards. The outputs from CRQ can be compared to existing risk assessments, and the usefulness and effort assessed.  

• Build on initial CRQ with further entities: the data gathered for the initial CRQ will likely be useful for later assessments in other business divisions or companies. If possible have a core team work at a Group/central level so that the skills and expertise can carry forward to later projects.  

• Decide how far to go: the table above lists various risk assessment use cases, you can use this to decide which risk assessment processes in your organizations could be suitable for quantifying. There will likely be use cases where you will choose to keep a qualitative approach.  

Final Thoughts: The Right Risk Quantification Approach Depends on Your Needs

Cyber risk assessment can feel complex, but it doesn't have to be! This blog post has explored the two main approaches: qualitative and quantitative. Qualitative assessments are simple, using categories like "high," "medium," and "low". They're great for a quick overview, but can be inconsistent and imprecise. To address those limitations, a semi-quantitative approach adds numerical ranges to these categories. However, they still don't give you the financial figures you need for strategic decisions.  

That’s where quantitative risk assessments come in, providing financial values and statistical probabilities. While they require a little more time to conduct, and are dependent on the data used for input, they offer significant benefits like business-friendly language, and strategic-level risk management.  

The best approach for you will depend on your specific needs, so consider the audience for your risk assessment and the questions they are trying to answer. You can even introduce a quantitative method alongside your existing framework. This way, you get the best of both worlds!