Qualitative versus quantitative risk analysis: which method fits your organization?

Risk8 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

Anyone setting up an information security risk analysis soon runs into the question of how risks should be valued. Broadly speaking there are two schools of thought. The qualitative approach assesses risks with relative estimates, usually on a scale from low to high. The quantitative approach expresses risks in numbers, preferably in money and expected frequency. In practice this is not a matter of right or wrong, but of fit: it depends on the maturity of the organization, the data available and the purpose of the analysis. In this article we place both methods side by side, name the pitfalls we most often encounter as auditors, and give practical advice on making the choice.

The qualitative risk analysis

The qualitative method is by far the most widely used, and not without reason. Risks are estimated based on likelihood and impact, usually with categories such as low, medium and high, or with a numerical scale from, say, 1 to 5. The result is often shown in a risk matrix: a grid in which likelihood and impact together determine the color of a cell. Green is acceptable, red demands immediate action.

The strength of this approach is its accessibility. You do not need extensive historical data and the method is quick to explain to a board or department head. It invites conversation: by estimating likelihood and impact together with stakeholders, a shared picture emerges of where the organization is vulnerable. For a first risk analysis, for an ISO 27001 implementation or for organizations just starting with structured risk management, the qualitative method is almost always the right starting point.

The weakness lies in subjectivity. What one person experiences as high impact, another calls average. Without clear definitions for each scale level, estimates diverge widely and risks become hard to compare. Another well-known phenomenon is clustering in the middle: when stakeholders are unsure, they choose the safe middle value, which robs the analysis of its discriminating power. And because the outcome has no monetary figure, it is difficult to weigh an investment in a control against the risk it addresses.

The quantitative risk analysis

The quantitative method tries to express risks in hard numbers. The classic variant works with concepts such as the Single Loss Expectancy (the loss from a single event), the Annual Rate of Occurrence (the expected frequency per year) and the Annual Loss Expectancy (the expected annual loss, the product of the first two). More modern approaches such as FAIR (Factor Analysis of Information Risk) work with probability distributions and simulations instead of single point estimates, which does justice to the uncertainty inherent in risk.

The advantage is its persuasiveness towards the board. A statement such as "this risk is expected to cost us 250,000 euros per year and the control costs 60,000 euros" makes an investment decision discussable in the language of the board. Quantitative outcomes are additive, so you can aggregate and prioritize risks across the whole organization. It also enables substantiated cost-benefit trade-offs, something regulators in regulated sectors increasingly expect.

The downside is that the method stands or falls with the quality of the input. Without reliable data on frequencies and losses there is a risk of false precision: an outcome accurate to the euro suggests a certainty that is not there. Quantitative analysis also requires more time, expertise and data, making it heavier to set up and maintain. Applied in the wrong place, it produces a lot of work for little extra insight.

The hybrid practice

In practice, most mature organizations work in a hybrid way. They use a qualitative analysis as a broad first sieve across the entire risk landscape, and then apply targeted quantitative analysis to the handful of risks that rise to the top. That way you spend the heavier method only on the risks where sharp substantiation genuinely pays off, for example a major investment decision or a risk that threatens the very existence of the organization. This layered approach combines the speed and buy-in of the qualitative method with the substantiation of the quantitative method.

What does ISO 27001 say about this?

A frequently asked question is which method ISO 27001 prescribes. The answer is: none. The standard requires a consistent and repeatable process for risk assessment and risk treatment, with clear criteria for accepting risk and for determining the risk level. Which method you choose is up to the organization, as long as the approach is applied consistently and is repeatable. In practice, most organizations opt for a qualitative or hybrid approach. What an auditor tests is not the method itself, but whether it has been applied consistently, whether the criteria were established beforehand and whether the outcomes demonstrably led to decisions about controls.

Practical advice on the choice

Start qualitatively if you are beginning with risk management, if data is scarce or if the goal is mainly awareness and prioritization. Invest in clear scale definitions, because that addresses most of the subjectivity. Consider quantitative analysis once you need to substantiate specific, large risks towards the board or a regulator, or when you need to weigh controls against each other based on costs and benefits. And bear in mind that the two methods are not opposites but complementary. The mature route is not choosing between qualitative and quantitative, but knowing when to use which. Would you like to discuss a risk analysis that fits your organization's maturity? Feel free to contact us.

Frequently asked questions

What is the difference between qualitative and quantitative risk analysis?+

A qualitative analysis values risks with relative estimates on a scale, for example low to high. A quantitative analysis expresses risks in numbers, usually in money and expected frequency per year. The first is accessible and fast, the second is substantiated but requires reliable data.

Which method does ISO 27001 prescribe?+

ISO 27001 does not prescribe a specific method. The standard requires a consistent, repeatable risk assessment process with predefined criteria. The organization itself chooses a qualitative, quantitative or hybrid approach.

Is a quantitative risk analysis more accurate?+

Not automatically. Quantitative analysis produces numerical outcomes, but those are only reliable if the underlying data on frequencies and losses is reliable too. Without good data, false precision arises.

Can I combine both methods?+

Yes, in practice that is the most mature approach. A qualitative analysis serves as a broad first sieve, after which targeted quantitative analysis is applied to the most important risks that emerge from it.

What is FAIR?+

FAIR (Factor Analysis of Information Risk) is a quantitative framework that models risks with probability distributions and simulations instead of single point estimates. It thereby does justice to the uncertainty involved in risk and produces substantiated ranges.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us