Qualitative risk analysis — SY0-701
Learn what qualitative risk analysis is, how it differs from quantitative analysis, and the exam traps candidates face on the Security+ SY0-701.
WHAT IT IS
Qualitative risk analysis is a method for risk analysis that is based on the assignment of a descriptor such as low, medium, or high. (NISTIR 8286)
Those descriptors are applied to the two dimensions that define risk: the likelihood of a threat exploiting a vulnerability, and the magnitude of harm — the impact — that would result. Neither dimension is expressed as a dollar amount or a precise probability percentage; both remain on a named scale that the organization defines.
Mental model
Think of a heat-map grid. One axis is labeled with likelihood descriptors (e.g., low / medium / high). The other axis carries impact descriptors (e.g., low / medium / high). Each cell where a risk lands gives you a priority label — nothing more. The output is a ranked order of concern, not a calculated loss figure.
This framing matters because the defining characteristic of qualitative analysis is that no numerical values are assigned to impact or likelihood — only labels.
When to use it
| Situation | Qualitative | Quantitative |
|---|---|---|
| Data available | Descriptive / expert judgment | Statistical probabilities and monetarized valuation of loss or gain (NISTIR 8286) |
| Output produced | Descriptors such as low, medium, or high (NISTIR 8286) | Numerical values assigned to both impact and likelihood (NISTIR 8286) |
| Effort required | Lower; useful early in a risk assessment or when hard data is unavailable | Higher; requires reliable historical loss data |
| Communication audience | Stakeholders who need priorities quickly | Stakeholders who need financial justification for controls |
Use qualitative analysis when the goal is to identify and prioritize risks to organizational operations and assets (NIST SP 800-30 Rev. 1) and precise cost figures are not yet available or necessary.
COMMON MISCONCEPTION
Qualitative does not mean imprecise or sloppy. Candidates sometimes assume that because no numbers are used, the analysis is informal or less rigorous. The NIST definition is explicit that qualitative risk analysis is a recognized method — a deliberate choice of descriptor-based output, not a failure to do the math.
The companion trap is confusing the two methods' outputs. Quantitative risk analysis assigns numerical values to both impact and likelihood based on statistical probabilities and monetarized valuation (NISTIR 8286). Qualitative analysis does not. If a scenario describes rating risks as "high / medium / low," that is qualitative regardless of how much effort went into arriving at those labels.
A related misconception: risk itself is always a function of two things — the adverse impacts that would arise if a circumstance or event occurs, and the likelihood of occurrence (NIST SP 800-30 Rev. 1). Qualitative analysis estimates both dimensions; it does not ignore either one.
How it shows up on the exam
The cognitive target is distinguishing qualitative from quantitative analysis based on how outputs are expressed. Candidates are often presented with a scenario describing an organization's risk-rating process and asked to classify the method being used.
Signal phrases that point toward qualitative analysis:
- Ratings described using words rather than dollar amounts
- A risk matrix or heat map with named severity levels
- Outputs described as ordered priorities rather than calculated figures
- Expert judgment or subjective analysis used to estimate likelihood — NIST SP 800-30 Rev. 1 defines likelihood of occurrence as "a weighted factor based on a subjective analysis of the probability that a given threat can exploit a given vulnerability"
Candidates often confuse the two methods because both assess the same two dimensions (likelihood and impact). The differentiator is always the form of the output: descriptors versus numerical values.
Related concepts
Sources
Every claim on this page traces to the public exam blueprint and official documentation: