This post was originally published by (ISC)² Management.
The Language of Profit and Loss
Security professionals spend a lot of time honing their area of expertise. Your strength could be in packet analysis, or programming…maybe you are at your best in the realm of security engineering, or pentesting. Or, you may have the best technical skills, but when it comes to obtaining a budget for a project or a new security tool, you need to understand and explain the difference between likelihood, and probability.
Why is this important? This is important because the language of business is based on profits and loss, and that component is key to your progress. How can you describe the need for a new security initiative that makes the point to the people who will fund the venture?
The best way to advance your cause is through quantitative, or qualitative analysis. Specifically, how likely, or how probable an event will occur. As the CISSP Common Body of Knowledge (CBK) describes it, “Likelihood is relevant to qualitative analysis, and probability relates to quantitative.” Some dictionaries don’t make this fine distinction, treating likelihood and probability synonymously, however this is unwise when working in security.
What’s the Difference?
A simple way to remember the difference is that qualitative analysis deals with quality, and quantitative analysis deals with quantities.
Quality = Likelihood measurement
Quantity = Probability measurement
Many treat qualitative analysis as less reliable than quantitative because there are no hard numbers when using qualitative examinations.
When working in risk management, qualitative analysis is usually in order. This is commonly represented by a table showing a risk event against its likelihood and impact. For example, one method that was presented many years ago showed how a qualitative risk analysis was equal for erecting a building against earthquakes was equal for New York and San Francisco.
Read more here: https://blog.isc2.org/isc2_blog/