Which assessment is carried out when the appropriate amount of data is not available in an organization to assist the risk assessment, and estimates are used to express risk?

The correct answer is qualitative risk assessments because this type of assessment is designed to evaluate risks in environments where quantitative data is scarce or insufficient. Qualitative assessments rely on expert judgment to estimate the likelihood and impact of risks using descriptive categories rather than specific numerical values. This makes them particularly useful when there isn’t enough data available to conduct a detailed quantitative analysis.

In qualitative assessments, risks are typically characterized based on their potential severity and likelihood, often using scales such as high, medium, and low. This allows organizations to prioritize risks and make informed decisions even in the absence of extensive data. By focusing on qualitative descriptions, organizations can effectively communicate and address risks that may not have precise metrics but are still crucial for their security posture.

In contrast, a quantitative risk assessment focuses on numerical estimates and statistical analysis to quantify risks, which is not suitable when specific data is lacking. Security and vulnerability assessments, while important, generally serve different purposes and are not specifically designed to address the scenario of missing data for risk evaluation.