(ISC)2 Certified in Cybersecurity Practice Exam

What type of risk assessment uses subjective ratings to evaluate likelihood and impact?

• A. Quantitative Risk Assessment
• B. Qualitative Risk Assessment
• C. Statistical Risk Assessment
• D. Comprehensive Risk Assessment

The correct answer is: Qualitative Risk Assessment

The choice of a qualitative risk assessment is fitting because this approach relies on subjective ratings to assess the likelihood of risks occurring and their potential impacts. In qualitative risk assessments, factors such as expert judgment, experience, and intuition come into play, allowing practitioners to rank risks based on their probability and severity without relying solely on numerical data. This method is particularly useful in situations where it may be difficult to assign precise numerical values due to a lack of specific data or where the nature of the risks is better captured through descriptive scales (for example, categories like "low," "medium," and "high"). Qualitative assessments often incorporate discussions and brainstorming sessions among professionals to reach a consensus on the ratings. In contrast, other types of assessments, like quantitative risk assessments, involve a more data-driven approach, focusing on numerical values and statistics to measure risks. Statistical assessments also rely heavily on data analysis but involve advanced statistical techniques, while comprehensive assessments encompass a broader evaluation that may integrate both qualitative and quantitative elements, but it does not specifically indicate the use of subjective ratings.