Skip to main content

7. Risk Assessment Approaches

Risk can be assessed in various ways: quantitatively, qualitatively, or semi-quantitatively. Each approach has its advantages and disadvantages, and organizations choose based on their culture and attitudes towards uncertainty and risk communication.


Quantitative assessments

Quantitative assessments use numerical values, supporting cost-benefit analyses but requiring careful interpretation. They are rigorous and repeatable but can become less reliable if subjective judgments or uncertainties are involved.


Qualitative assessments

Qualitative assessments use nonnumerical categories (e.g., low, medium, high) to communicate risk effectively. However, they have limited granularity, and different experts might produce varying results unless the categories are well-defined and annotated for consistency.


Semi-quantitative assessments

Semi-quantitative assessments combine aspects of both quantitative and qualitative methods, using bins, scales, or representative numbers. These assessments are easier for communicating risks to decision-makers and allow relative comparisons but require careful definition of scales to avoid ambiguity. CSFaaS currently provides a qualitative approach, while semi-quantitative and quantitative methods are on the roadmap. If you have questions or would like to learn more, please reach out to us.


(Source: NIST SP 800-30)