How Do We Analyze and Describe Risk?
Updated: Dec 20, 2019
Many pages of the book and this website are dedicated to risk analysis but, at an introductory level, for the moment, lets just say that risk is usually described and analyzed using one of three approaches:
Qualitative: Low, Medium, High or a similar descriptive ranking. (See for example: Threat Tolerance)
Semi-quantitative: This might take the form of an ordinal ranking such as a 1to 5 scale with some form of descriptive overview of broad categorization (Eg:$10,000 to $100,000 or 25% to 50%). See: Likelihood And Consequence Tables.
Quantitative: This is often expressed as a ratio, percentage, 0.0 to 1.0 for probability calculation, frequencies (eg:lost time injuries per 100,000 person-hours worked), financial amounts, or similar quantitative data.
You can find a bit more about risk analysis in some of my other books, as well as HB167 Security Risk Management Handbook and IEC 31010 Risk management — Risk assessment techniques.
You can also find a couple of articles on this topic in the First Edition (so far only edition) of the Security Risk Management Aide-Mémoire (SRMAM).