IT Examiner School eBook

Weighing Threats

• Institutions may choose between • Qualitative Assessment • Quantitative Assessment • Combination of both, but Qualitative

• Management may place more weight on one type of threat than another.

• When reviewing the institution's risk values, interact with management if something does not make sense.

45

Risk Assessment Methodologies

Quantitative

Qualitative

• Based on Judgment • Simple to implement • Flexible, cover all business risks • Quick to identify risks • Subjective/Bias • Delphi technique/expert opinions • Decision trees • Probability/Consequence • Relies on organizational expertise

•Data Driven! •Objective and accurate •Realistic and measurable •Requires data for analysis •More complex = more time •Data can be difficult to collect