CERTIFIED-IN-CYBERSECURITY Question #490: Real Exam Question with Answer & Explanation

Question

What is the PRIMARY difference between qualitative and quantitative risk analysis?

Options

• AQualitative risk analysis is based on numerical data, while quantitative risk analysis is based on
• BQualitative risk analysis is based on subjective data, while quantitative risk analysis is based on
• CQualitative risk analysis is based on objective data, while quantitative risk analysis is based on
• DQualitative risk analysis is based on numerical data, while quantitative risk analysis is based on

Explanation

The primary difference between qualitative and quantitative risk analysis is in the nature and treatment of the data used (see the ISC2 Study Guide, Chapter 1, Module 2). Qualitative risk analysis is less precise and relies on subjective data such as expert judgment, perceptions and opinions. For example, questionnaires may be used to measure employee awareness of a potential cyber attack. Conversely, quantitative risk analysis uses numerical or statistical data to produce measurable and calculable results. For example, assessing the potential financial loss that a cybersecurity breach could cause by calculating the costs associated with managing such incidents in the past enables a company to make informed decisions. The remaining options are wrong. The key point is how "subjective" or judgment-based data should be used in qualitative analysis, while "numerical" or countable data is used in quantitative analysis. Finally, another option introduces the term "objective data," which is ambiguous because both qualitative and quantitative data can be considered "objective" from different perspectives.

No community discussion yet for this question.