Qualitative and Quantitative Research Methods in Information Security

Qualitative and Quantitative Research Methods in Information Security

Name:

Institution:

Qualitative and Quantitative Research Methods in Information Security

Difference between qualitative and quantitative research methods related to information security

Qualitative research is based mostly on description while quantitative research primarily focuses on measurements. Qualitative research mostly includes interpretative techniques that describe, decode, and translate meaning. It can be used in data collection and analysis. the data collection techniques used in qualitative research include focus groups, group interviews, observation, case studies, ethnography, action research, and grounded theory. Other tools and techniques used in qualitative research include debriefings, trace evidence, artifacts, behavioral observation, and textual analysis. Quantitative research refers to the specific frequency of behavior, attitude, knowledge, or opinion. Surveys are the most commonly used method in this approach. This research method is often used in testing theory. On the other hand, qualitative research is often used to develop but not to test theory.

The focus of quantitative research is to offer explanations and descriptions and the research involvement tends to be limited and controlled. The research designs used in the two approaches are different. The designs used in qualitative design are longitudinal and multi-method. On the other hand, quantitative research uses cross sectional/longitudinal and single method designs. Samples in quantitative research are often large. Data analysis in qualitative research comprises of human judgment with a combination of facts. There is a strong emphasis on themes. On the other hand, data analysis in quantitative research comprises of computerized analysis. The main emphasis is on counts or frequency.

On matters concerning information security, qualitative research will mostly depend on judgment, experience, and intuition to assess problems and identify possible solutions. This will involve using interviews, group sessions, and questionnaires to determine the extent of a problem. On the other hand, quantitative research will opt to use mathematical formulas and other calculations. Qualitative risk analysis depends on the availability of good data. This will ensure effective performance of information security risk. Risks cannot be quantified in exact measures and precise terms when using qualitative research. They are often subjective and they depend on the perception of the analyst. This means that a person can have different interpretations of the same problems and come up with different solutions of solving it.

Qualitative methods tend to be easy to understand and implement but they are uncertain. On the other hand, using quantitative approach enables a person to make certain specific choices. For instance, it is possible to determine the exact step to take after performing a cost benefit analysis. This enables better estimation of the probability of losses or benefits. Using quantitative research is beneficial as it allows one to obtain an accurate image of the occurring risk. This differs from using qualitative research, which is mostly based on probabilities and assumptions.

Qualitative research is relatively cheaper than quantitative research. It is easier to obtain data and perform analysis. On the other hand, quantitative research tends to be more expensive because it requires deeper analysis of data and more advanced tools for collection and analysis. Moreover, it is more complex. Quantitative methods in research enable an organization to take straightforward measures towards solving problems and they are objective. This ensures that the company does not waste resources since they are sure of the exact problem (Vanderburg, 2013). On the other hand, they require expertise and a lot of work in data analysis. While qualitative methods may take some time, they are cheaper to implement and easier to analyze.

Use of qualitative research in information security

Qualitative research can be used to determine the probability that a disaster can occur and establish the consequences of the disaster. Qualitative research methods are the most commonly used when determining the impact of risk. It rates the magnitude of the potential impact of a threat on low, medium, or high. Qualitative methods make it easier to understand the level of potential and actual risk. This is because the methods used are easy to understand and use. Moreover, they enable a person to identify and evaluate all the important areas of risk. Qualitative research helps to identify the information security goals, formulate and determine the organization’s objective, and structure the security goals (Manish, 2012). An organization cannot undertake these tasks if it relies on quantitative research methods.

The elements used in this research are interrelated and they include threats, vulnerabilities, and controls. Threats are the things that can attack a system. They can include theft or loss of the system and data as well as malicious code such as virus, worm, spyware, Trojan horse, and others. Vulnerabilities increase the chances of a system being attacked. They can also increase the chances of impact once a system is attacked. For instance, lack of antivirus software or encryption makes a system more vulnerable to attacks. Vulnerability increases if passwords and other control measures are not used. In addition, systems are more vulnerable of they do not have physical and technical security features. Systems are more vulnerable if anyone can access them. Restriction or controls decrease the chances of probability of intentional attacks. Controls can counter attacks, reduce their impact, and ensure that the system is secure. Other uses include prevention and detection of threats. Controls can deter threats and they can help to retrieve and recreate the stolen data (Walsh, 2011).

References:

Manish, G. (2012). Threats, countermeasures, and advances in applied information security. Hershey, PA: IGI Global

Vanderburg, E. (2013). Criteria for selecting an information security risk assessment methodology: Qualitative, quantitative, or mixed. Retrieved from http://jurinnov.com/criteria-for-selecting-an-information-security-risk-assessment-methodology-qualitative-quantitative-or-mixed/

Walsh, T. (2011). Security risk analysis and management: An overview. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048622.hcsp?dDocName=bok1_048622