Pete’s got some interesting stuff over at his blog on qualitative vs. quantitative analysis From his post:
Numbers provide a level of clarity and precision that you can’t get with qualitative approaches, and they are at least as accurate. This is an important point: with quantitative approaches, you cannot do any worse than you are doing today in your risk assessment, and, given the numerous biases that humans are known to exhibit, there is a tremendous upside. Anyone that is “gaming” numbers is doing it to support their own subjective, qualitative (likely-biased) approach.
Quantitative methods don’t need to be absolute (and never are when dealing with probabilities of future events) to be useful. Using numbers that other people disagree with doesn’t make you a liar any more than two people who disagree on what “due diligence” mechanisms to deploy makes one of them a liar. It provides an opportunity for collaboration and consensus that is much more specific than subjective, qualitative approaches.
I’m not sure I could have said it any better.
Tags: compliance, risk, risk management, risk assessment, risk_management, risk_assessment, risk_analysis, risk analysis, security, information_security, information security
August 29, 2007, 12:05pm Comments
