What is the difference between a qualitative and quantitative risk assessment?
A quantitative risk assessment expresses threat likelihood (probability), impact, and risk in terms of a numeric value, whereas a qualitative assessment uses ratings of high, medium, or low to express the value. The major advantage of the quantitative approach is that it provides a measurement, which can be fed directly into a cost-benefit analysis. However, unless the metrics used are comprehensive, consistent, accurate and relevant, this approach has little or no benefit over a qualitative approach since some subjective interpretation must still be applied. Many approaches today start by using the qualitative rankings (high, medium, or low) and attribute a range of values to each. Who should participate in a risk assessment exercise? For the subject system(s), the team should include as a minimum the following representatives: system owner(s), IT security representative, operational system users, and IT system support personnel. Others may be added to the team, as management deems ap
