Posted on Dec 21, 2020
When organizations think about risk, they're often thinking about the risk they’d be exposed to without any security controls in place at all; a breach that happens in the absence of cybersecurity controls, for example, or a phishing attack on a staff that hasn’t been taught to spot fraudulent emails.
But what about the cyber attack that manages to get around existing controls?
Organizations often experience attacks when they have controls in place, and some of those attacks slip through the net of cybersecurity that’s been set up. Think, for example, about an employee who falls for a social engineering attack despite being trained to spot phishing emails, or an attacker who finds a vulnerability despite the fact that products are patched often.
That’s the difference between inherent and residual risk in information security.
When it comes to risk analysis, there are two types of risk.
Inherent risk is the amount of risk that exists in the absence of controls. In other words, before an organization implements any countermeasures at all, the risk they face is inherent risk.
Residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions.
Or to think of it another way, you’ve put a fence around your data and networks to keep the risk out, and while that fence is keeping most of the risk out, some can still sneak in. That risk that’s sneaking in, despite your team’s best efforts, is residual risk.
It’s important to note that these definitions can get a little murky. Most organizations today aren’t operating with absolutely no cybersecurity controls in place. The FAIR Institute recommends that companies modify the definitions somewhat, identifying inherent risk as “the current risk level given the existing set of controls.”
In this more realistic scenario, residual risk represents the risks that remain after additional controls are applied.
Understanding residual risk is important from a compliance standpoint; the ISO 27001 regulations — which allows organizations to manage the security of assets such that are entrusted to an organization by third parties — requires companies to monitor residual risk.To be compliant with ISO 27001, companies must have residual security checks in place alongside inherent security checks.
On a more basic level, security teams that focus only on inherent risk are missing the full picture when it comes to understanding their organization’s risk profile, and that can lead to poor decisions when it comes to security.
Good security teams know that just because you’ve put up a fence, doesn’t mean that you’ve eliminated all risk; something that isn’t possible. Some risk always remains. Attackers might hurl themselves against the fence, something small might get through, or maybe something will get over the fence.
Monitoring and understanding residual risk as well as inherent risk allows security professionals to more quickly and accurately identify potential security threats, and understand how those threats can negatively impact a company and its data. By knowing how and when risks might slip through the fence, a security team or a CISO can confidently respond to risks.
Now that you know what residual risk is, what do you do with it? Once you understand residual risk, it’s time to classify the risk, so your organization knows how to respond.
Much of this work has to do with your organization’s tolerance for risk; if the residual risk is below an acceptable level of risk, your organization doesn’t need to do anything but accept it. If not, the security team will need to find new ways to mitigate the risks, which means you’ll have to reassess your residual risk once the new controls are in place.
In many cases, this will mean a constant recalculation of risk levels and tolerance as organizations understand how much appetite they have for risk and where the gaps are in their security.
SecurityScorecard’s security ratings platform can help companies monitor the changing nature of threats and help them recalibrate their risk levels by continuously monitoring an organization’s IT ecosystem. Our security ratings provide easy-to-read A-F security ratings that show you, at a glance, what your organization’s security posture looks like in 10 categories of risk factors: IP reputation, DNS health, endpoint security, network security, patching cadence, web application security, social engineering, hacker chatter, and information leakage.
If a score drops in any area, you’ll receive a real-time notification, allowing your security team to reevaluate your risks, your controls and make better decisions to protect your data and networks.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.