Which of the following answer BEST relates to the type of risk analysis that involves committees, interviews,
opinions and subjective input from staff?

A.
Qualitative Risk Analysis

B.
Quantitative Risk Analysis

C.
Interview Approach to Risk Analysis

D.
Managerial Risk Assessment

Explanation:
Qualitative risk analysis methods walk through different scenarios of risk possibilities and rank the seriousness
of the threats and the validity of the different possible countermeasures based on opinions. (A wide sweeping
analysis can include hundreds of scenarios.) Qualitative analysis techniques include judgment, best practices,
intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming,
storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The
risk analysis team will determine the best technique for the threats that need to be assessed, as well as the
culture of the company and individuals involved with the analysis. The team that is performing the risk analysis
gathers personnel who have experience and education on the threats being evaluated. When this group is
presented with a scenario that describes threats and loss potential, each member responds with their gut
feeling and experience on the likelihood of the threat and the extent of damage that may result.
Incorrect Answers:
B: Quantitative Risk Analysis assigns a monetary value to impact of a risk. This is not what is described in the
question.
C: Interview Approach to Risk Analysis is not one of the defined risk analysis types.
D: Managerial Risk Assessment is not the best type of risk analysis that involves committees, interviews,
opinions and subjective input from staff.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 89