Qualitative IT risk metrics and indicators are based on descriptive data that can be observed, evaluated, and compared subjectively. They can provide rich and contextual information about the nature, cause, and impact of a risk or the relevance, adequacy, and maturity of a control. Examples of qualitative IT risk metrics and indicators are: risk categories, risk sources, risk drivers, risk scenarios, risk ratings, control objectives, control attributes, control assessments, control gaps, and control recommendations. Qualitative IT risk metrics and indicators can help to identify risks, assess controls, understand root causes, design solutions, and improve awareness.
However, qualitative IT risk metrics and indicators also have some challenges and limitations. They can be vague and ambiguous, as they rely on subjective judgments, opinions, and perceptions that may vary across different stakeholders, perspectives, and situations. They can be influenced by cognitive biases, such as anchoring, confirmation, overconfidence, or availability. They can also be difficult to aggregate, compare, and standardize, as they may use different scales, criteria, and methods. Moreover, they can be insufficient or ineffective if they are not supported by evidence, data, and facts, or if they are not validated, verified, and updated regularly.