Inherent and Residual Cybersecurity Risk Explained

Blog / Inherent and Residual Cybersecurity Risk Explained

Inherent and Residual Cybersecurity Risk Explained

For businesses and organisations, there is a difference between the cybersecurity risks posed without security controls in place, and the risks with them. 

Inherent and residual risk is what defines this difference. 

Inherent risk is the risk without any security controls in place and with no attempt at mitigation. 

This would be the risk for an organisation without any countermeasures in place to combat potential risk. 

For the vast majority of organisations, the inherent risk is unlikely to be the actual risk as they will have some form of countermeasures and security in place. 

Therefore, focus should instead be put on residual risk. This is the risk that remains after security controls have been implemented and precautions have been put in place. 

An example would be risk of a malware infection. The inherent risk would be that the malware infects the device or network, potentially stealing information and enabling other malicious software to be installed. The residual risk, however, would factor in anti-malware protection and training, as well as other preventative measures. As a result, the risk of malware infection (residual risk) is likely to be lower than the inherent risk. 

Even when appropriate countermeasures have been implemented to combat cybersecurity risk, there will inevitably still be some risk present. It is important that businesses know how to handle this residual risk. 

Handling residual risk 

Firstly, managing residual risk is important for compliance. The ISO 27001 regulations require companies to monitor residual risk. 

On a more general level, a company that understands its residual risk is likely to be better prepared to focus resources where they are most required. 

Putting security controls in place to combat cybersecurity risk in place can be thought of as like building a wall. The wall will stop many different threats, but unfortunately, the wall is likely to not be impenetrable.  

However, through understanding residual risk, businesses can know how and when their walls may be breached, and so the cybersecurity team can be ready to confidently respond. 

In order to best handle risk, organisations should consider their ‘risk appetite’. This covers, assuming the fact that some level of risk is inevitable, what the acceptable level of risk is; how big is a company’s appetite for risk? 

The risk appetite can be calculated with a graph that considers both frequency and impact. If the impact could be catastrophic and the chance of it occurring is more frequent, this risk would be considered unacceptable, and countermeasures must be put in place. On the other hand, if the chance of a particular risk is more infrequent, and the potential impact is likely to be minimal, the risk would be considered more acceptable. 

In the real world, most businesses are unlikely to have huge budgets to spend on cybersecurity issues. Therefore, understanding a company’s residual risk, and specifically where the priorities are to combat risk, can be the most effective solution. 

Through evaluating individual residual risks, organisations can decide what the best course of action should be. This may result in additional controls being implemented. New or modified countermeasures may be required to reduce risk levels to an acceptable level. 

On the other hand, evaluation may indicate that no further action should be taken. This could be because the organisation has decided the risk is at an acceptable level. Alternatively, it may also be decided that no further action should be taken as the cost and/or effort necessary is too high to be justifiable. 

When addressing residual risk, organisations should consider the following factors: 

  • Identify relevant requirements (governance, risk and compliance) 
  • Acknowledge existing risks 
  • Strengths and weaknesses of the organisation’s control framework 
  • The organisation’s risk appetite 
  • Options available for combatting unacceptable residual risks 

Securiwiser’s risk monitoring tool presents its users with a digestible report on the biggest vulnerabilities an organisation has by providing higher scores to different risk factors. This allows you to perform a residual risk assessment on which aspects of your cybersecurity posture are adequately protected and which are not. From there you can decide where action should be taken. Try it for free today.

How secure is

your business?

Security test
How secure is

your business?

Security test