In this section, we will look at the difference between qualitative and quantitative risk assessments.
A qualitative risk assessment is based on an individual's perception regarding the probability that a particular risk may occur at a given time, and whether that risk will have a genuine impact on the organization. The key thing to understand about qualitative risk assessments is that they do not utilize any mathematical calculation method to calculate a certain risk. As a result, qualitative risk analysis is relatively easy to perform and is typically the type of risk assessment that is performed by the information security professional.
The qualitative risk assessment provides a method where the information security professional can rank risk on a subjective scale as seen in the following, where risk is ranked high, medium, or low.
Qualitative risk assessments are not as precise as quantitative risk assessments as they do not contain a mathematical...