Skip to main content
Security Scorecard

Inherent Risk vs. Residual Risk: What’s the Difference?

Posted on December 21st, 2020

When organizations think about risk, they're often thinking about the risk they’d be exposed to without any security controls in place at all; a breach that happens in the absence of cybersecurity controls, for example, or a phishing attack on a staff that hasn’t been taught to spot fraudulent emails.

But what about the cyberattack that manages to get around existing controls?

Organizations often experience attacks when they have controls in place, and some of those attacks slip through the net of cybersecurity that’s been set up. Think, for example, about an employee who falls for a social engineering attack despite being trained to spot phishing emails or an attacker who finds a vulnerability despite the fact that products are patched often.

That’s the difference between inherent and residual risk in information security.

Inherent risk vs. residual risk

When it comes to risk analysis, there are two types of risk.

Inherent risk is the amount of risk that exists in the absence of controls. In other words, before an organization implements any countermeasures at all, the risk they face is inherent risk.

Residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions.

Or to think of it another way, you’ve put a fence around your data and networks to keep the risk out, and while that fence is keeping most of the risk out, some can still sneak in. That risk that’s sneaking in, despite your team’s best efforts, is residual risk.

It’s important to note that these definitions can get a little murky. Most organizations today aren’t operating with absolutely no cybersecurity controls in place. The FAIR Institute recommends that companies modify the definitions somewhat, identifying inherent risk as “the current risk level given the existing set of controls.”

In this more realistic scenario, residual risk represents the risks that remain after additional controls are applied.

Why is residual risk important?

Understanding residual risk is important from a compliance standpoint; the ISO 27001 regulations — which allows organizations to manage the security of assets that are entrusted to an organization by third parties — require companies to monitor residual risk. To be compliant with ISO 27001, companies must have residual security checks in place alongside inherent security checks.

On a more basic level, security teams that focus only on inherent risk are missing the full picture when it comes to understanding their organization’s risk profile, and that can lead to poor decisions when it comes to security.

Good security teams know that just because you’ve put up a fence, doesn’t mean that you’ve eliminated all risk; something that isn’t possible. Some risk always remains. Attackers might hurl themselves against the fence, something small might get through, or maybe something will get over the fence.

Monitoring and understanding residual risk as well as inherent risk allows security professionals to more quickly and accurately identify potential security threats, and understand how those threats can negatively impact a company and its data. By knowing how and when risks might slip through the fence, a security team or a CISO can confidently respond to risks.

Managing residual risk

Now that you know what residual risk is, what do you do with it? Once you understand residual risk, it’s time to classify the risk, so your organization knows how to respond.

Much of this work has to do with your organization’s tolerance for risk; if the residual risk is below an acceptable level of risk, your organization doesn’t need to do anything but accept it. If not, the security team will need to find new ways to mitigate the risks, which means you’ll have to reassess your residual risk once the new controls are in place.

In many cases, this will mean a constant recalculation of risk levels and tolerance as organizations understand how much appetite they have for risk and where the gaps are in their security.

How can SecurityScorecard help?

SecurityScorecard’s security ratings platform can help companies monitor the changing nature of threats and help them recalibrate their risk levels by continuously monitoring an organization’s IT ecosystem. Our security ratings provide easy-to-read A-F security ratings that show you, at a glance, what your organization’s security posture looks like in 10 categories of risk factors: IP reputation, DNS health, endpoint security, network security, patching cadence, web application security, social engineering, hacker chatter, and information leakage.

If a score drops in any area, you’ll receive a real-time notification, allowing your security team to reevaluate your risks, your controls and make better decisions to protect your data and networks.

Return to Blog
Join us in making the world a safer place.