Example of quantitative and qualitative risk assessment

Answer:
Basically quantitative is when you determine the risk with numeral values (for example based on economical values), and qualitative is when you determine the risk with nominal values.

For example, in a quantitative risk assessment, you can have this formula for the risk:

Risk = Impact x Likelihood

Being the Impact in terms of money and the likelihood in terms of %. So, if the impact in economical terms is $10.000 and the likelihood is 90%, the risk is: $10.000 x 0,9 = 9000. Here you also need to define different levels of risks (for example, 0-5000 is low, 5000-10.000 is medium, 10.000 and 50.000 is high).

Regarding the qualitative risk assessment, you can you also the same formula:

Risk = Impact x Likelihood

But in this case the values will be only nominal: Low, Medium, High (or you can also use 1, 2, 3), so in this case you will need a table with all po ssible values. For example, if the impact is low and the likelihood is low, the risk will be low. If the impact is low and the likelihood is medium, the risk will be low, etc.

Examples of quantitative risk assessment are MAGERIT, or SOMAP, and examples of qualitative risk assessment are CRAMM, or OCTAVE.

Generally, the qualitative risk assessment is more easy, and the quantitative is more precise, and you can develop the methodology that you want. So this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

And our online course can be also interesting for you because we give more information about the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/