Quantitative risk assessments are assessments that focus on numeric values. With
these assessments, you will see data such as percentages and costs. On the other
hand, qualitative risk assessments are assessments that focus on more
“explanatory” outcomes. Instead of focusing on the numbers aspect of risk, they
focus on quality or attributes.
In my experience when writing an intelligence risk assessment there are diﬀerent
ways you can present risk in a certain situation. You could say there is a 60%
chance of something happening as a result of something else. This would be an
example of a quantitative risk assessment. However, saying something has a 90%
chance of happening is sometimes not as helpful as it seems to policymakers.
Instead, you can say that you are “almost certain” that the same situation is going to
When assessing IT risk, I believe quantitative risk assessments would be a better
option. Quantitative data would help assess the diﬀerent aspects of the risk, giving
better insight into the risk itself.