Which of the following is an advantage of a qualitative over a quantitative risk analysis?

A.
It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.

B.
It provides specific quantifiable measurements of the magnitude of the impacts.

C.
It makes a cost-benefit analysis of recommended controls easier.

D.
It can easily be automated.

Explanation:
Qualitative risk assessments quantify the level of risk whereas quantitative risk assessments place a monetary
value on the effect of risk. For example, a qualitative risk assessment may use a scale such as low risk,
medium risk and high risk or a 1 to 10 scale.
One risk assessment methodology is called FRAP, which stands for Facilitated Risk Analysis Process. The
crux of this qualitative methodology is to focus only on the systems that really need assessing to reduce costs
and time obligations. It stresses prescreening activities so that the risk assessment steps are only carried out
on the item(s) that needs it the most. It is to be used to analyze one system, application, or business process at
a time. Data is gathered and threats to business operations are prioritized based upon their criticality. The risk
assessment team documents the controls that need to be put into place to reduce the identified risks along with
action plans for control implementation efforts.
Incorrect Answers:
B: Quantitative, not qualitative risk assessments provide specific quantifiable measurements of the magnitude
of the impacts.
C: Quantitative, not qualitative risk assessments make a cost-benefit analysis of recommended controls easier.
D: Quantitative, not qualitative risk assessments can easily be automated or at least partially automated.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 79