A qualitative risk assessment uses numbers or values to categorize risks based on probability and impact. (Quantitative risk assessments use dollar figures to calculate SLE and ALE.)
As an example, terms such as low, medium, and high could be used or the numbers one through ten could be used. The two categories often included in a qualitative risk assessment are probability and impact.
- Probability. The likelihood an event will occur. For example, the probability that an Internet-facing web server will be attacked is close to 100 percent and could be given a numerical value of 10. However, the likelihood that an internal workstation in the library with no Internet access will be attacked through the Internet is very low, so it could be given a numerical value of 1.
- Impact. The negative result of the event occurring. If the web server is down, the impact may be considered significant and given a value of 10. If the library workstation is down, a library patron may be inconvenienced, so it may be given a value of 1.
- Web server. 10 * 10 = 100
- Library computer. 1 * 1 = 1
While these two examples are extreme to show how the model can be used, the model can help identify the priorities in the middle ranges which are more difficult determine.
You can read about quantitative risk assessments here.
Good luck on your Security+ exam!