A company needs to determine its security budget for the next year. It interviews users, administrators, and managers in the information technology division, who render opinions and recommendations based upon their perceptions of security risk. This is an example of what kind of approach to risk analysis?

A.
Qualitative

B.
Value-based

C.
Quantitative

D.
Accumulative

Explanation:
A qualitative approach is based on judgments, intuition, and experience. It differs
from a quantitative approach which systematically calculates the annual cost based
on the impact and likelihood that security problems will manifest. Both approaches
are useful, and neither will yield completely accurate results. Value-based is
another way of saying "quantitative." There is no such thing as an accumulative
approach to risk quantification, although the historical effectiveness of security
could be factored into the results.