Performing a quantitative analysis presents several challenges, including a lack of previous data, the time and cost involved, and the potential to oversimplify complex risks. Quantitative information security risk analysis depends on previous research/data to be able to estimate cost to each risk identified. However, this research is often insufficient, time-consuming, and expensive. While it is an important analysis quantitative analysis can undermine the complexity of risks. The cost of a security risk will vary greatly from company to company depending on the complexities of the risk. As a result, it is often difficult to accurately quantify a risk, and quantitative analysis should not be viewed as the sole method for evaluating risks.
Sarah Maher says
Performing a quantitative analysis presents several challenges, including a lack of previous data, the time and cost involved, and the potential to oversimplify complex risks. Quantitative information security risk analysis depends on previous research/data to be able to estimate cost to each risk identified. However, this research is often insufficient, time-consuming, and expensive. While it is an important analysis quantitative analysis can undermine the complexity of risks. The cost of a security risk will vary greatly from company to company depending on the complexities of the risk. As a result, it is often difficult to accurately quantify a risk, and quantitative analysis should not be viewed as the sole method for evaluating risks.