Even when vulnerabilities have been controlled as much as possible, there is often still some risk that has not been completely removed, shifted, or planned for. This remainder
is called residual risk. To express it another way, “residual risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of
vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing safeguards.”22 Figure 4-10 illustrates how residual risk remains after safeguards are
implemented. The significance of residual risk must be judged within the context of the organization. Although it is counterintuitive, the goal of information security is not to bring residual risk
to zero; it is to bring residual risk into line with an organization’s comfort zone or risk appetite. If decision makers have been informed of uncontrolled risks and the proper authority groups within the communities of interest have decided to leave residual risk in place, the information security program has accomplished its primary goal.
No comments:
Post a Comment