Quoting Meritt James ([EMAIL PROTECTED]): > An interesting distinction between finding and analysis for qualitative > and quantitative risk analysis may (and often is) made. The CIS FRAP, > for example, is a qualitative system. A number of the software risk > analysis packages claim to be quantitative but an inspection of (all the > ones I have looked into) seems lacking in statistical rigor and > justification for numerous operations and selections of defaults.
Without a broad knowledge base (which would then imply an ASP based solution), qualification is bound to be statistically and practically incorrect. ASP based, because I don't really know anyone who'd be willing to store a couple of terabytes of indexed incident and risk data on a harddisk.
