Qualitative vs. Quantitative Risk Analysis.
- For any Risk analysis we need to identify our assets. What are we protecting?
- Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
- Quantitative Risk Analysis – What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.
- Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, … )
- Vulnerability – A weakness that can allow the Threat to do harm. Having a Data Center in the Tsunami flood area, not Earthquake resistant, not applying patches and anti virus, …
- Risk = Threat x Vulnerability.
- Impact – Can at times be added to give a more full picture. Risk = Threat x Vulnerability x Impact (How bad is it?).
- Total Risk = Threat x Vulnerability x Asset Value.
- Residual Risk = Total Risk – Countermeasures.