Quantitative assessments are based on facts and items that can be measured and counted.
Through quantitative assessments, a baseline may be established, goals created, and an
effort’s efficiency and efficacy measured. Qualitative assessments gather ideas, observations,
and knowledge of past events to develop a narrative that can be used to predict outcomes.
I’ve used quantitative assessments to determine how many support requests were submitted
to our IT Service Desk, how many services have a defined recovery time objective (RTO)
expectation, and how many incidents were resolved within the defined RTO. Using
qualitative assessments, I surveyed our end-users to determine if the defined RTO
expectations continued to meet their business needs.
Which is better for assessing IT risk? These methods work cooperatively to give business
leaders the necessary understanding of overall risk. While quantitative assessments provide
clear indicators for measuring IT risk and are typically simpler to define and implement,
qualitative assessments fill in the information “as it relates to the outcome(s) of a risk
occurrence” (1). Qualitative assessments better communicate the magnitude of impact of
risks identified by quantitative means.
1. (ISC)2 SSCP Systems Security Certiﬁed Practitioner Oﬃcial Study Guide