What is quantitative vs qualitative risk assessment?
D1 ยท General ยท CompTIA Security+ SY0-701Quantitative risk assessment assigns numerical (monetary) values to risks using formulas:
SLE (Single Loss Expectancy) = Asset Value ร Exposure Factor
ALE (Annualized Loss Expectancy) = SLE ร ARO (Annualized Rate of Occurrence)
Allows direct ROI calculation for security controls.
Qualitative risk assessment uses descriptive ratings (High/Medium/Low, 1-5 scales) based on expert judgment โ faster but less precise. Used when hard data is unavailable.
SLE (Single Loss Expectancy) = Asset Value ร Exposure Factor
ALE (Annualized Loss Expectancy) = SLE ร ARO (Annualized Rate of Occurrence)
Allows direct ROI calculation for security controls.
Qualitative risk assessment uses descriptive ratings (High/Medium/Low, 1-5 scales) based on expert judgment โ faster but less precise. Used when hard data is unavailable.
Know the quantitative formulas: SLE = Asset Value ร EF. ALE = SLE ร ARO. If a control costs less than the ALE reduction it provides, it's worth implementing. Qualitative is faster and good for initial assessments. Most real organizations use a hybrid approach.