A risk analysis method that combines numeric elements with expert judgement. It sits between purely qualitative scoring and full statistical modelling, which makes it useful when security teams need more consistency than opinions alone but lack enough data for precise quantification.
Expanded Definition
Semi-quantitative analysis is used when teams need risk decisions that are more repeatable than free-form judgement, but cannot support fully quantitative modelling with dependable loss data. In practice, it assigns bounded scores, bands, or weighted factors to assets, threats, vulnerabilities, and business impact, then combines those inputs into an overall risk view. The method is common in cybersecurity, governance, and resilience work because it can be applied consistently across many scenarios without pretending that every input is measured with statistical precision.
The key distinction is that semi-quantitative analysis is not just “qualitative with numbers.” Good practice requires a defined scale, a documented scoring method, and a clear explanation of how expert judgement is applied. That makes it closer to a controlled decision framework than to an ad hoc workshop exercise. NIST control baselines and assessment language are often used to support this discipline, especially where NIST SP 800-53 Rev 5 Security and Privacy Controls is used to anchor risk treatment to specific safeguards.
The most common misapplication is treating semi-quantitative scores as if they were precise measurements, which occurs when organisations compare totals from different scoring models without validating that the underlying scales mean the same thing.
Examples and Use Cases
Implementing semi-quantitative analysis rigorously often introduces scoring consistency overhead, requiring organisations to balance faster triage against the effort needed to calibrate expert judgement and maintain repeatable criteria.
- Security risk registers use a 1 to 5 scale for likelihood and impact, then apply weighting to reflect criticality, regulatory exposure, or operational dependency.
- Third-party risk teams score supplier controls by category, combining technical findings, contractual exposure, and service sensitivity into a single prioritised review queue.
- Cloud security teams use bounded ratings to compare misconfiguration scenarios across workloads when full incident data is unavailable, then map results to control gaps in the NIST control structure.
- Identity teams apply semi-quantitative methods to rank authentication and access risks, especially where privileged accounts, session controls, and compensating safeguards must be compared without hard loss figures.
- Boards and risk committees use banded scoring to decide whether a risk is acceptable, needs treatment, or should be escalated, while documenting the assumptions behind each score.
Where organisations work with identity-heavy environments, the method is especially useful for comparing access abuse scenarios, service account exposure, and control weakness across environments with different maturity levels.
Why It Matters for Security Teams
Semi-quantitative analysis matters because it creates a common language for prioritisation without requiring false precision. Security teams often face an imbalance between abundant control data and scarce incident data, so a structured scoring model helps them compare risks, justify treatment, and communicate with leadership in a way that is easier to audit than informal judgement. It is particularly useful when teams need to connect threat scenarios to safeguards, because the resulting scores can be tied back to control families, ownership, and remediation plans.
The main governance risk is inconsistency. If two assessors interpret the same score differently, the output becomes politically useful but operationally weak. That problem is amplified in identity and NHI contexts, where service accounts, API keys, and agentic AI permissions can change rapidly and create risk profiles that are easy to understate. Semi-quantitative methods help teams compare those exposures, but only when the scoring model is documented and periodically recalibrated.
Organisations typically encounter the limits of semi-quantitative analysis only after a major review challenge, audit finding, or risk dispute, at which point the scoring model becomes operationally unavoidable to defend.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM | Risk management governance in CSF 2.0 supports structured, repeatable risk scoring. |
| NIST SP 800-53 Rev 5 | RA-3 | Risk assessment control families align with semi-quantitative evaluation of likelihood and impact. |
| ISO/IEC 27001:2022 | ISO 27001 requires repeatable risk assessment and treatment processes, often implemented semi-quantitatively. | |
| NIST SP 800-63 | Digital identity assurance decisions often use structured risk judgement when data is incomplete. | |
| OWASP Non-Human Identity Top 10 | NHI risk scoring often uses semi-quantitative methods to rank secrets, tokens, and service identities. |
Apply consistent scoring to identity-related risk scenarios and align outcomes to assurance needs.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org