Sunday, December 18, 2016

Definition of Residual Risk

Even when vulnerabilities have been controlled as much as possible, there is often still  some risk that has not been completely removed, shifted, or planned for. This remainder
is called residual risk. To express it another way, “residual risk is a combined function of  (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of
vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducing  safeguards.”22 Figure 4-10 illustrates how residual risk remains after safeguards are
implemented.  The significance of residual risk must be judged within the context of the organization.  Although it is counterintuitive, the goal of information security is not to bring residual risk

to zero; it is to bring residual risk into line with an organization’s comfort zone or risk appetite. If decision makers have been informed of uncontrolled risks and the proper authority  groups within the communities of interest have decided to leave residual risk in place, the  information security program has accomplished its primary goal.