The National Law Institute University, Bhopal

Programme Offers

Master

Of

Cyber Law and Information Security

PROJECT

on

“Comparative study on qualitative and quantitative risk analysis”

SUBJECT

“Information security risk management”

SUBMITTED TO: SUBMITTED BY:

Mr. Mayank Tiwari Sajag Jain

2018-MCLIS-48

1
Table Of Content:
ABSTRACT:................................................................................................................................................. 3
1. INTRODUCTION: ................................................................................................................................... 4
2. QUALITATIVE RISK ANALYSIS ......................................................................................................... 4
3. QUANTITATIVE RISK ANALYSIS ...................................................................................................... 5
4. COMPARISON ........................................................................................................................................ 5
5. ADVANTAGES OF QUALITATIVE RISK ANALYSIS....................................................................... 6
6. ADVANTAGES OF THE QUANTATIVE RISK ANALYSIS ............................................................... 7
7. IMPLEMENTATION OF RISK ANALYSIS (Qualitative Risk Analysis) ............................................. 7
8. IMPLEMENTATION OF RISK ANALYSIS .......................................................................................... 9
9. CONCLUSION AND SUGGESTION ................................................................................................... 10
10. REFERENCES ..................................................................................................................................... 11

2
ABSTRACT:
A very critical part of every industrial activity is risk management. To deliver the tools at every
level of the risk management spectrum, risk analysis has taken advantage of the increase in
computational availability, because of the importance, potential impacts and complexity of
industrial processes in the recent years. At various levels of the risk analysis process, the bow tie
models are used because of their so-called generalized shape, fundamentally because of their
presentation aggregates complex, real-world scenarios in reducible, consistent and communicable
ways.
Key words: Risk analysis, Quantitative risk analysis, Qualitative risk analysis.

3
1. INTRODUCTION:
One of the most important tasks for any project is risk analysis 1. Qualitative and quantitative-
the two types of risk analysis are the steps of an overall risk assessment process in actuality.
In the Qualitative Risk Analysis process, the project risk is assessed on the basis of their likely
impact and probability. In the Quantitative Risk Analysis process, a step further is taken. The
risks are evaluated in more details and more objective methods are used, so that they can be
rated numerically, on the basis of how they can affect the overall project objectives. We will
be comparing and contrasting qualitative and quantitative risk analysis.

2. QUALITATIVE RISK ANALYSIS

Identified project risks are prioritized by qualitative risk analysis by using a pre-defined rating
scale2. Risks will be scored on the basis of their likelihood or probability of occurring and
impact on project objectives they should occur.
Likelihood/probability is ranked, commonly, on a zero to one scale. (for e.g., .4 equating to a
40% probability of the risk event occurring)
The impact scale is defined organizationally (for e.g. a one to five scale, five being the highest
impact on project objectives, such as quality, budget, or schedule)
Appropriate categorization of the risks, either effect-based or source-based is also included in
qualitative risk analysis.

1
Risk analysis is the review of the risks associated with a particular event or action. It is applied to projects, information technology, security
issues and any action where risks may be analyzed on a quantitative and qualitative basis. Available at
http://searchmidmarketsecurity.techtarget.com/definition/risk-analysis. Accessed on 17/03/2019.

2
A rating scale is a method that requires the rater to assign a value, sometimes numeric, to the rated object, as a measure of some rated attribute.
Available at https://en.wikipedia.org/wiki/Rating_scale. Accessed on 17/03/2019.

4
3. QUANTITATIVE RISK ANALYSIS
Quantitative risk analysis is a further analysis of highest priority risks in which a numerical or
quantitative rating is assigned so that a probabilistic analysis of the project can be developed.
A quantitative analysis:
a. Provides with a quantitative approach for making decisions when uncertainty is there.
b. Creates achievable and realistic cost scope or schedule targets.
c. Quantifies the possible outcomes for the project and assesses the probabilities of
achieving specific project objectives

4. COMPARISON
Qualitative risk analysis Quantitative risk analysis

Qualitative Risk Analysis Process consider Quantitative Risk Analysis process only
all the risks identified in the identify risk considers the risks which are marked for
process. further analysis in the Qualitative Risk
Analysis Process.

Qualitative Risk Analysis Process does not
analyze the risks mathematically to identify
the probability and distribution rather
stakeholders inputs (expert judgment) are
used to judge the probability and impact.
Perform Quantitative Risk Analysis uses
the probability distributions to characterize
the risk’s probability and impact, it also use
project model (e.g. Schedule, cost
estimate), mathematical and simulation
tools to calculate the probability and
impact.

In this, we assess individual risks by This predicts likely project outcomes in

assigning numeric ranking of probability terms of money or time based on combined
and impact, usually the rank of 0 to 1 is effects of risks.
used where 1 demonstrates high.

Qualitative Risk Analysis process is Quantitative Risk Analysis Process may

usually applied in most of the projects. not be applied to simple or moderate
projects.

Should be always done. Can be optional.

For smaller projects QLRA will suffice. For large projects, QTRA is needed to
QTRA is time-consuming and hence may know the overall risk of the project.

5
 not be desired.

Risk scale is qualitative and can be textual Risk scale and scores are quantitative,
(low, medium, high), color coded, numeric typically specified in monetary and
(from 1 to 5) or some combination. schedule terms.

The "P" and "I" values are determined and In QTRA, further prioritization happens
the priority is determined, based on "risk based on cost impact and/or schedule
attitude" -- to what extent individual risk or impact. On this prioritized list, the risk
overall project risk matters. response is planned.

Examines individual project risks. Examines the combined effects of risks on

the project as a whole to determine an
overall project risk.
3
Day-to-day risk management is focused on Overall project risk is important for
individual project risks. strategic decision making and project
governance.

5. ADVANTAGES OF QUALITATIVE RISK ANALYSIS

• Easy presentation: We can present the results of qualitative risk analysis graphically by
using a risk assessment matrix. Risk assessment matrix can be used by a project manager so
as to communicate risk management strategy with team members or senior managers.
• Simple assessment methods: Special training is not required by project team to conduct
qualitative risk analysis as it is not relied on any complicated software or tools.
• Easy prioritization: As the qualitative analysis classifies risks according to its impact and
likelihood, determining the risks becomes easy, which an organization must focus on- the
ones that fall into the categoryof highest likelihood and impact.
• No need to determine frequency: the qualitative risk analysis is not dependent on the risk
occurrence frequency, so the team which is performing analysis the analysis can save time, by
not predicting the exact time and frequency of each risk.

3
Risk management is the identification, evaluation, and prioritization of risks(defined in ISO 31000 as the effect of uncertainty on objectives)
followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate
events available at https://en.wikipedia.org/wiki/Risk_management. Accessed on 20/03/2019.

6
 • No need to quantify the impact on cost and schedule: As the qualitative analysis does not
quantify the impact of the risk on the project costs and schedule, time is saved during the
analysis.

6. ADVANTAGES OF THE QUANTATIVE RISK ANALYSIS

Defining the probability of success: A schedule risk analysis helps in establishing a
confidence level within the team in the overall team execution plan
Identify high risk areas: risk analysis helps in highlighting the higher risk areas in the
project execution and scheduled plans. This helps the project management to focus on key
resource where attention is needed.
Mitigation: A good list of higher risk schedule areas is provided by the initial risk
assessment. Once identified, the process forces the project team to think ahead and develop
mitigation plans which are to be monitored on an ongoing basis. A platform is also provided
by the model which can be used by the planner to analyze the impact of the mitigation plans
and execution changes in the future.
Ongoing risk management: The existing risk management plan is typically augmented by
the time spent on building a good schedule risk model. Building in periodic schedule risk
reviews helps the team to continue to be involved in risk management process and also
provides with continued assessment of the overall confidence level in project process.
Improve client confidence: to leverage client confidence in the project schedule completion
date and support business development needs, this process is a good way. A proactive risk
management plan helps in assuring the clients that you are looking ahead and ready for any
potential impacts.

7. IMPLEMENTATION OF RISK ANALYSIS (Qualitative Risk Analysis)

XYZ is a telecommunication company and we are applying qualitative risk analysis on this
company.
Objective of this company is to provide better telecommunication services, secure
communication etc.
Asset identification:
a. Infrastructure building
b. Hardware- laptops, computers, printers, cameras.
c. Documents- user manual, contracts, training documents.
d. Communication infrastructure: modems, cables, telephone, mobiles.

7
7.1. RISK ASSESSMENT PROPERTIES

8
7.2. Analysis of identified risk on an asset computer

8. IMPLEMENTATION OF RISK ANALYSIS

S No. Asset name Asset Exposure Single loss Annualized Annualized
Value Factor expectancy rate of loss
occurrence expectancy
1 Computer 3,000,000 25% 750,000 5 3750000

2 Cables 20000000 65 % 1300000 6 7800000

3 Modems 1000000 30% 3000000 4 12000000

4 Customer 7000000 30% 2100000 3 6300000

information
5 Cameras 8500000 55% 4675000 5 23375000

8.1. EXAMPLE
Asset name = computer

Asset value= 3,000,000

9
 EF = 25%
SLE = {AV*EF}
SLE = 3,000,000*25%
SLE = 750,000
CALCULATION OF ALE
ALE = ARO*SLE
ARO = 5
SLE = 750,000
ALE = 5*750,000
ALE = 3750000
VALUE OF BENEFIT OF THE SAFEGUARD
ALE – value of the safeguard
3750000- 8,00,000
Savings- 2950000

9. CONCLUSION AND SUGGESTION

Qualitative and quantitative risk analysis, both are important for the project risk management.
In project risk management, both QLRA and QTRA play distinct roles. An accurate
understanding of our threat impact cost and weight level is enhanced at a multi-dimensional
view, when both Qualitative and Quantitative risk analysis are combined.

10
10. REFERENCES

 https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-
assessments-in-information-security/
 https://www.bayt.com/en/specialties/q/17532/what-is-the-difference-between-the-
qualitative-risk-analysis-and-the-quantitative-risk-analysis/
 https://www.project-risk-manager.com/blog/qualitative-and-quantitative-risk-analysis/
 https://successstory.com/inspiration/quantitative-and-qualitative-risk-analysis
 https://www.mpug.com/articles/pmp-prep-qualitative-vs-quantitative-risk-analysis/
 https://www.pmlearningsolutions.com/blog/qualitative-risk-analysis-vs-quantitative-risk-
analysis-pmp-concept-1

11