More Than Likely, Or Less Than Probable: Is a truly quantitative security analysis possible?

More Than Likely, Or Less Than Probable: Is a truly quantitative security analysis possible?

The Language of Profit and Loss


Security professionals spend a lot of time honing their area of expertise. Your strength could be in packet analysis, or programming…maybe you are at your best in the realm of security engineering, or pentesting. Or, you may have the best technical skills, but when it comes to obtaining a budget for a project or a new security tool, you need to understand and explain the difference between likelihood, and probability.


Why is this important? This is important because the language of business is based on profits and loss, and that component is key to your progress. How can you describe the need for a new security initiative that makes the point to the people who will fund the venture?


The best way to advance your cause is through quantitative, or qualitative analysis. Specifically, how likely, or how probable an event will occur. As the CISSP Common Body of Knowledge (CBK) describes it, “Likelihood is relevant to qualitative analysis, and probability relates to quantitative.” Some dictionaries don’t make this fine distinction, treating likelihood and probability synonymously, however this is unwise when working in security.


What’s the Difference?


A simple way to remember the difference is that qualitative analysis deals with quality, and quantitative analysis deals with quantities.


Quality = Likelihood measurement


Quantity = Probability measurement


Many treat qualitative analysis as less reliable than quantitative because there are no hard numbers when using qualitative examinations.


When working in risk management, qualitative analysis is usually in order. This is commonly represented by a table showing a risk event against its likeli ..

Support the originator by clicking the read the rest link below.