Quantitative risk analysis — SY0-701

WHAT IT IS

Quantitative risk analysis is "a method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain." (NISTIR 8286, via CSRC glossary)

In plain terms: every variable in the analysis — the probability that a threat materializes, and the financial harm if it does — is expressed as a number rather than a label.

Mental model

Think of quantitative risk analysis as converting a security question into a financial equation. Instead of saying a risk is "high," you calculate: if this event has a certain probability of occurring and a certain monetary cost when it does, what is the expected loss? The output is a dollar figure (or equivalent measurable unit), not a color or word.

When to use it

The exam tests whether candidates can distinguish quantitative from qualitative analysis. The NIST glossary defines both in comparable terms, which makes the boundary crisp:

Dimension	Quantitative risk analysis	Qualitative risk analysis
How impact is expressed	Numerical values; monetarized valuation of loss or gain	Descriptors (e.g., low, medium, high)
How likelihood is expressed	Statistical probabilities	Descriptors (e.g., low, medium, high)
Output	A number (financial or other measurable unit)	A category or rating
Data requirement	Requires reliable historical or statistical data	Can work when precise data is unavailable
Primary strength	Supports cost-benefit comparison of controls	Faster to apply; useful when quantitative data is scarce

Sources: NISTIR 8286 definitions for both terms, via CSRC glossary.

COMMON MISCONCEPTION

The specific trap: candidates assume that because quantitative analysis uses numbers, it is always more accurate or more trustworthy than qualitative analysis. This is not what the standards say. NIST defines quantitative analysis as based on statistical probabilities — meaning the output is only as reliable as the underlying data. When historical data is limited or unreliable, a well-executed qualitative approach may be more appropriate. Neither method is universally superior; the choice depends on data availability and the decision being made.

A second common error is conflating the method (quantitative risk analysis) with the process (risk assessment). NIST defines risk assessment as the process of identifying risks to organizational operations, assets, individuals, and others. Quantitative analysis is one technique that may be applied within a risk assessment — it is not the same thing as the assessment itself.

How it shows up on the exam

Questions targeting this concept ask candidates to identify which analytical method fits a described scenario. The cognitive target is distinguishing between methods based on how outputs are expressed — specifically whether the scenario describes numerical/monetarized outputs (quantitative) or descriptor-based outputs (qualitative).

Signal phrases that suggest quantitative analysis is the answer: "dollar value," "financial loss," "statistical probability," "monetarized," "numerical value assigned to risk." Signal phrases that suggest qualitative analysis: "rated as low/medium/high," "assigned a descriptor," "categories of risk."

Candidates who focus only on the word "analysis" without attending to how the output is expressed tend to conflate the two methods. The grounding distinction — numerical values and monetarized valuation vs. descriptors — is the reliable differentiator.

Related concepts

• Risk assessment — the broader process within which quantitative analysis is applied as a technique
• Qualitative risk analysis — the adjacent method that uses descriptors instead of numerical values; the primary concept this one is confused with
• Risk register — the repository where risk information, including outputs from quantitative analysis, is recorded over time