The CXOWARE Blog

Welcome to the CXOWARE blog. We hope you’ll join us for lively and good natured discussion about risk and risk issues!  We’re risk geeks, plain and simple. We’re big advocates of the Factor Analysis of Information Risk (FAIR) framework for quantifying risk.

Underneath it all...

By: john.coleman

by: Jack Jones

Many times when I’ve been in a debate with someone about qualitative vs. quantitative superiority, something like the following dialog takes place:

Me: When you use the term “Medium Risk”, what do you mean?

Them: Well, the event is only moderately likely and/or would only have moderate effect.

Me: When you say “moderately likely”, what does that mean?

Them: It could happen, but not too often, or it isn’t certain.

Me: By “not too often”, do you mean a couple of times a year? Every other year? Something like that?

Them: Yeah, maybe something like that.

Me: Aren’t those quantitative values?

Them: ....

It gets even more fun when we start talking about impact.

The bottom line is that I have yet to run into someone who isn’t thinking quantitatively even when they’re applying qualitative terms. They just don’t realize (or admit) it.

Just sayin’...

About The Author