Print this chapterPrint this chapter

Risk Management

Instruction

Qualitative Risk Analysis

A qualitative risk analysis evaluates the impact or effect of threats on the business process or the goals of the organization and has the following characteristics:

  • Scenario oriented

  • A carefully reasoned risk assessment is performed
A qualitative analysis is much more subjective. Members of the risk assessment team determine the overall security risk to assets. An asset value is still used in addition to the threat frequency, impact, and safeguard effectiveness. All of these elements, though, are measured in subjective terms such as high, low, or not likely.

Although qualitative security risk equation variables are expressed as numerical values, these values are considered ordinal numbers which correspond to High > Medium > Low. There is no metric that determines a distance between categories. For example, Low is not twice as good as High.

Tables are used as the "formula" for determining qualitative security risks, as shown in Figure 11.

Figure 11 – Qualitative risk analysis matrix


The team then defines each of the qualitative values for probability and impact. The values in the table are the result of multiplying the probability value by the impact value. Read the article, Qualitative Risk Analysis and Assessment for more information.