(ISC)2 Certified in Cybersecurity Practice Exam

How does qualitative risk analysis categorize risks?

• A. Using financial metrics and projections
• B. By assigning qualitative descriptors
• C. Through mathematical algorithms and statistics
• D. Based on historical data and trends

The correct answer is: By assigning qualitative descriptors

Qualitative risk analysis categorizes risks by assigning qualitative descriptors, which is a method that focuses on the subjective assessment of risk rather than numerical values. This approach involves evaluating the potential impact and likelihood of risks using descriptive terms, such as "high," "medium," or "low." By using qualitative descriptors, organizations can better understand the nature of the risks they face without the need for intricate mathematical or statistical models. This method is particularly useful in early stages of risk assessment when detailed data may not be available. The correct answer emphasizes the importance of understanding risks through qualitative means, allowing for a more generalized overview and facilitating discussion among stakeholders who may lack expertise in quantitative analysis. It helps prioritize risks based on their potential effects on the organization rather than strictly relying on numerical analysis. Other options involve more quantitative approaches or rely on financial metrics and statistical models, which are typically part of quantitative risk analysis, not qualitative. Historical data could inform qualitative assessments but does not define the categorization method in qualitative terms.