As Tipton and Krause noted, whether we choose the quantitative assessment, whether we try a qualitative assessment, the elements that need to be considered (if we recall the „Divide et Impera” adage) are:
– tangible or intangible asset value (the value of these assets is determined, usually, in terms of cost required for replacing them)
– threat frequency (the threat defines an event whose existence would lead to an unwanted impact.)
– threat exposure factor (this factor represents a measure of the magnitude of loss or the impact on the value of an asset.)
– safeguard effectiveness (this term represents the degree to which a safeguard manages to effectively minimize a vulnerability and to reduce the risks of associated loss.)
– safeguard cost (safeguards are often described as controls or countermeasures and we can talk here about the practice of the cost/benefit analysis.)
– uncertainty (this term characterizes the degree, expressed in percentages of trust in the value of any element of the risk assessment process)
As a (pre-)conclusion, if these elements are evaluated starting from a high-medium-low type criteria, the assessment will be qualitative.
To the degree to which each of these elements is quantified into independent objective indexes such as the monetary value of replacing the value of the asset or the annual occurrence rate for the frequency of the threat, risk assessment becomes predominantly quantitative.
If all these six elements are quantified through objective independent indexes, risk assessment is fully quantitative, undergoing a series of statistic analyses.