What is residual
risk in cyber
Cyber security
best practices

Author: Sue Poremba

No matter how good your security system is, your organization will never achieve 100% risk elimination. No matter how well employees are trained in cyber security best practices, people will still make the mistakes that give threat actors access to the network and valuable assets.

Even when you take human behavior into consideration, your security controls can only do so much. You will also have residual risk in cyber security monitoring to consider.

What is residual risk in cyber security?

Residual risk is the level of cyber risk remaining after all your security controls are accounted for, any threats have been addressed and the organization is meeting security standards. It's the risk that slips through the cracks of your system. Inherent risk, on the other hand, is the risk when there are no controls in place and organizations have no plan or system to mitigate threats and cyber incidents.

Calling it "residual" makes it seem inconsequential, almost an afterthought. But this is the type of risk that could cause the most trouble for your organization. If you don't factor residual risk in cyber security into your security system, you won't be able to tell what is happening outside your controls. It's the crack in the system that threat actors look for.

Why residual risk in cyber security and monitoring is necessary

If your organization is responsible for securing the assets of a third party, residual risk in cyber security monitoring is a compliance standard required by ISO 27001 regulations. It has to be built into your overall risk assessment process to keep not only your corporate assets protected but also those of any international vendors and contractors.

The National Institute of Standards and Technology defines a risk assessment as a process "to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems."

A full risk assessment includes assessing residual risk, which is essentially calculated by subtracting risk control from inherent risk. Once you've assessed residual risk, you can move on to managing it. You have the option of avoiding the risk by moving the assets to a controlled area or taking them offline. You could also reduce the risk by adding new controls, or use cyber risk insurance to protect yourself if you can't conduct regular audits, or simply accept the risk and take responsibility for an incident.

Cyber security best practices: Resources to manage residual risk

Cyber security best practices include regular cyber security audits, penetration testing and attack simulations that can help your organization determine where you have residual risk. Once you've determined risk and have protocols for response, cyber risk monitoring services can give you visibility into your system and help to identify the gaps and vulnerabilities.

Understanding "what is residual risk in cyber security?" is just the first step. In the end, how residual risk in cyber security is handled is up to the organization and its preference for how risk adverse it wants to be. Nobody will ever achieve 100% security, but with the right residual risk tools in place, you can improve on your security efforts.

Now that you understand the question "What is residual risk in cyber security?", learn more about how Verizon can help you with incorporating cyber security best practices into your operations.