MemotivaCISSP Flashcards: Security and Risk Management, Governance, Compliance, Ethics

What is the difference between qualitative and quantitative risk analysis?

CISSP Flashcards: Security and Risk Management, Governance, Compliance, Ethics

Audio flashcard · 0:31

Nortren·

What is the difference between qualitative and quantitative risk analysis?

0:31

Quantitative risk analysis assigns monetary values to assets, threats, and losses using formulas. Key metrics include asset value, exposure factor as a percentage of loss, single loss expectancy which equals asset value times exposure factor, annualized rate of occurrence, and annualized loss expectancy which equals single loss expectancy times annualized rate of occurrence. Qualitative risk analysis uses subjective ratings like high, medium, and low based on expert judgment, scenarios, and matrices. Quantitative is more precise but requires reliable data.
csrc.nist.gov