A qualitative risk assessment is based on an individual's perception regarding the probability that a particular risk may occur at a given time, and whether that risk will have a genuine impact on the organization. The key thing to understand about qualitative risk assessments is that they do not utilize any mathematical calculation method to calculate a certain risk. As a result, qualitative risk analysis is relatively easy to perform and is typically the type of risk assessment that is performed by the information security professional.

The qualitative risk assessment provides a method where the information security professional can rank risk on a subjective scale as seen in the following, where risk is ranked high, medium, or low.

Qualitative risk assessments are not as precise as quantitative risk assessments as they do not contain a mathematical component, where you are taking non-subjective risk data to build a numerical score. However qualitative risk assessments are generally favored as they are less expensive to conduct, can be accomplished rapidly, and produce the information necessary for organizational leadership to make a decision rapidly.