They could not get comfortable with the current state of their control environment without having a firm grasp on the assessed inherent risk for that scenario. This stemmed from their experience in conducting risk assessments where the first step is to identify the inherent risk, then factor in controls to arrive at residual risk. Show
Here are the standard definitions of the two concepts:
Sounds straightforward. But these two terms seem to fall apart when put into practice. Applying the above definitions to the clients’ scenario uncovered the fact that the “inherent” risk being described was not a “no controls“ environment, but rather, one that only excluded some controls. The flaw with inherent risk is that in most cases, when used in practice, it does not explicitly consider which controls are being included or excluded. A truly inherent risk state, in our example, would assume no employee background checks or interviews are conducted and that no locks exist on any doors. This could lead to almost any risk scenario being evaluated as inherently high. Treating inherent risk therefore can be quite arbitrary. According to Jack Jones, author of Measuring and Managing Information Risk: A FAIR Approach and creator of the FAIR model, much more realistic and useful definitions would be
How FAIR can help Applying the FAIR model to risk analyses, such as the scenario described above, can help rid the ambiguity around the “no controls” notion of inherent risk by focusing on explicitly identifying and evaluating key controls in the current state environment. Specifically, when measuring the current level of risk for a given scenario, controls are factored into either the frequency or magnitude side of the model based on their nature (avoidance, deterrent, response, etc.). Doing so allows you to be more intentional about the controls that you chose to include or exclude from your analysis, and ultimately identify which controls appear to have the greatest effect on the loss scenario. When organizations think about risk, they're often thinking about the risk they’d be exposed to without any security controls in place at all: a breach that happens in the absence of cybersecurity controls, for example, or a phishing attack on staff that hasn’t been taught to spot fraudulent emails. But what about the cyberattack that manages to get around existing controls? When it comes to risk analysis, there are two categories of risk to consider: inherent risk and residual risk. Let’s take a closer look. What is inherent risk?Inherent risk is the amount of risk that exists in the absence of controls. In other words, before an organization implements any countermeasures at all, the risk they face is inherent risk. What is residual risk?Residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions. Inherent risk vs. residual risk: What’s the difference?Organizations often experience attacks when they have controls in place, and some of those attacks slip through the net of cybersecurity that’s been set up. Think, for example, about an employee who falls for a social engineering attack despite being trained to spot phishing emails or an attacker who finds a vulnerability despite the fact that products are patched often. That’s the difference between inherent and residual risk in information security. Or to think of it another way, you’ve put a fence around your data and networks to keep the risk out, and while that fence is keeping most of the risk out, some can still sneak in. That risk that’s sneaking in, despite your team’s best efforts, is residual risk. It’s important to note that these definitions can get a little murky. Most organizations today aren’t operating with absolutely no cybersecurity controls in place. The FAIR Institute recommends that companies modify the definitions somewhat, identifying inherent risk as “the current risk level given the existing set of controls.” In this more realistic scenario, residual risk represents the remaining risks once additional controls are applied.  Why is inherent risk important?Understanding inherent risks and their impact helps security teams identify which cybersecurity controls will be most successful to fight the existing level of risk and risk factors associated with your business. Without a good understanding and grasp of the inherent risks your business faces, you will never be able to successfully mitigate and prevent new threats and vulnerabilities from emerging. Understanding the inherent risks of your business is the first step in developing a successful cybersecurity program. Why is residual risk important?Understanding residual risk is important from a compliance standpoint; the ISO 27001 regulations — which allow organizations to manage the security of assets that are entrusted to an organization by third parties — require companies to monitor residual risk. To be compliant with ISO 27001, companies must have residual security checks in place alongside inherent security checks. On a more basic level, security teams that focus only on inherent risk are missing the full picture when it comes to understanding their organization’s risk profile, and that can lead to poor decisions when it comes to security. Good security teams know that just because you’ve put up a fence, doesn’t mean that you’ve eliminated all risk; something that isn’t possible. Some risk always remains. Attackers might hurl themselves against the fence, something small might get through, or maybe something will get over the fence. Continuously monitoring and understanding residual risk as well as inherent risk allows security professionals to more quickly and accurately identify potential security threats, and understand how those threats can negatively impact a company and its data. By knowing how and when risks might slip through the fence, a security team or a CISO can confidently respond to risks. What is an example of residual risk?As we mentioned above, residual risk refers to the risks that exist even after implementing cyber security controls you intend to use for your business. An example of this is if your company implements a policy requiring employees to use complex and character-specific passwords. You can improve this policy by requiring employees to update and change these passwords on a regular basis. While this could reduce the likelihood of cybercriminals figuring out employee passwords, there is residual risk if employees just alternate between the same set of passwords. It’s up to your business to decide if this is the kind of residual risk you are willing to accept. How to manage residual riskNow that you know what residual risk is, what do you do with it? Once you understand residual risk, it’s time to classify the risk, so your organization knows how to respond. Much of this work has to do with your organization’s tolerance for risk; if the residual risk is below an acceptable level of risk, your organization doesn’t need to do anything but accept it. If not, the security team will need to find new ways to mitigate the risks, which means you’ll have to reassess your residual risk once the new controls are in place. In many cases, this will mean a constant recalculation of risk levels and tolerance as organizations understand how much appetite they have for risk and where the gaps are in their security. How to calculate residual risk?Residual risks can be calculated by identifying the risk tolerance, or how much your company would need to do to prevent any inherent risks from being exploited. Once you identify inherent risks, the protocols necessary to treat these risks, and how much risk is reduced in this process, the strategy developed is what calculates the residual risk. Essentially, Residual Risk = Inherent Risks - Impact of Risk Controls. Monitor inherent and residual risks with SecurityScorecardSecurityScorecard’s security ratings platform can help companies monitor the changing nature of threats and help them recalibrate their risk levels by continuously monitoring an organization’s IT ecosystem. Our security ratings provide easy-to-read A-F security ratings that show you, at a glance, what your organization’s security posture looks like across 10 categories of risk factors: IP reputation, DNS health, endpoint security, network security, patching cadence, web application security, social engineering, hacker chatter, and information leakage. If a score drops in any area, you’ll receive a real-time notification, allowing your security team to reevaluate your risks, your controls and make better decisions to protect your data and networks. Interested in learning more? Sign up for a free account today to discover how SecurityScorecard's ratings platform can help manage risks associated with your business. When residual risk is determined?Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made. Residual risk is important for several reasons. First to consider is that residual risk is the risk "left over" after security controls and process improvements have been applied.
What is the level of residual risk after implementation of the control measures?Residual risk is the remaining risk after your control measures are in place. There will always be some level of residual risk, but it should be as low as you can reasonably be expected to make it. The main focus of risk assessment is to control the risks in your work activities.
What are the steps of Risk Management process?Step 1: Risk Identification.. Step 2: Risk Assessment.. Step 3: Risk Treatment.. Step 4: Risk Monitoring and Reporting.. What is residual risk and how should it be treated?Residual risk is a risk that remains after Risk Management options have been identified and action plans have been implemented. It also includes all initially unidentified risks as well as all risks previously identified and evaluated but not designated for treatment at that time.
|
