Organizations can use various approaches when they need to manage potential and current risks. Two available groups of strategies are qualitative and quantitative ones, and they are significantly different. On the one hand, quantitative assessment is “an asset valuation approach that attempts to assign absolute numerical measures” (Whitman & Mattord, 2018, p. 306). In other words, this management approach relies on actual values and estimates, and popular examples include cost-benefit analysis, the annual rate of occurrence, and others. On the other hand, qualitative assessment refers to using categorical or non-numeric values to manage risks (Whitman & Mattord, 2018). Benchmarking, baselining, and others are requested examples of qualitative risk management. When it comes to the annual rate of occurrence, one can either assign a specific value (quantitative approach) or enumerate possible risks and rate them using scales (qualitative strategy). This statement represents the most evident difference between the two risk management strategies under analysis.
As far as my opinion is concerned, I do not think that any of these approaches can be considered better or worse. I believe that their effectiveness depends on many factors, and it can be more suitable to rely on qualitative approaches in some cases, but quantitative strategies can be better in others. For example, an organization should use quantitative risk management when this business can deal with precise numerical values and figures. However, the given approach will be useless if it is impossible to generate numerical data. In this case, qualitative risk management strategies can produce suitable outcomes. Consequently, this information demonstrates that quantitative and qualitative risk management principles are different and used in various circumstances, meaning that it is impossible to state which approach is better.
Reference
Whitman, M. E., & Mattord, H. J. (2018). Principles of information security (6th ed.). Cengage Learning.