quantitative risk assessment [English]
n. ~ A process that estimates the impact on a numerical measure (such as monetary value or price-earnings ratio) based on the likelihood and severity of some risk.
"The meaning and proportionality of values are maintained inside and outside the context of assessment" (NIST Joint Task Force Transformation Initiative, 2012, B-8 ).
- Business Dictionary 2014 (†539 s.v. "quantitative risk assessment"): Use of measurable, objective data to determine asset value, probability of loss, and associated risk(s).
- NIST Risk Assessment 2012 (†482 s.v. "quantitative assessment", p. B-8): Use of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment.
- Kouns and Minoli 2010 (†404 ): The goal of using pure quantitative methods in all circumstances is impractical due to the shortage of reliable data on incidents (probabilities and impacts), although they are potentially useful in some more narrowly defined situations. . . . One solution is to use quick/simple qualitative risk assessments followed by risk analyses on selected high-risk areas using more detailed qualitative or quantitative methods. ¶ Quantitative risk analysis: One assigns precise monetary values to the possible outcomes of risk exposures and then computed an expected value based on a probability distribution that such exposure resulted in actual damage. (†887)
- Lemieux 2004 (†405 ): A quantitative risk measurement may also be used to express the assessed level of risk. For example, the value of the resources that would be lost if the risk were to occur is a quantitative risk measurement. The UK Office of Commerce advises using quantitative analysis only if the information forms an important support to decisions on responding to the risk. (†885)
- Wikipedia (†387 s.v. IT risk management): Purely quantitative risk assessment is a mathematical calculation based on security metrics on the asset (system or application). For each risk scenario, taking into consideration the different risk factors a Single loss expectancy (SLE) is determined. Then, considering the probability of occurrence on a given period basis, for example the annual rate of occurrence (ARO), the Annualized Loss Expectancy is determined as the product of ARO X SLE. It is important to point out that the values of assets to be considered are those of all involved assets, not only the value of the directly affected resource. (†1037)