How to tell the difference between inherent risk and residual risk

RisckXchange How to tell the difference between inherent risk and residual risk RiskXchange The leader in Third-Party Cyber Risk Management
RiskXchange can fully monitor internal and third-party attack surfaces to minimise risk. 

In today’s digital era, organisations of all sizes must become risk vigilant. Inherent risks are categorised as all risks that are present without security controls. Incorporating sophisticated security controls will reduce risk but won’t completely element them. Therefore, residual risks are the risks that remain following the implementation of security controls. 

Residual risks are unavoidable. Even when some level of security control is in place, traces of residual risk remain that could leave sensitive data open to attack. This occurs due to the growth of digital transformation which expands the digital landscape, creating more attack vectors. 

Sometimes introducing security controls can create additional residual risks, known as secondary risks. Because residual risks are inevitable, their effective management involves finding a balance between desirable and undesirable risks.  

Let’s take a closer look. 

Risk impact versus risk frequency 

When looking at any level of risk, it’s important to look at risk impact versus risk frequency. The lower boundary of the impact versus frequency curve is identified as the risk appetite. The risk appetite is the highest level of acceptable risk before mitigation efforts are applied. The curve should be as depressed as possible in order to widen the gap between cybercriminals and sensitive information. 

Inherent risk 

Inherent risk is defined as the innate probability that a cybersecurity event may occur due to a lack of countermeasures. On the flip side, residual risk is what remains after risk reduction efforts have been put in place. This means that residual risk can be evaluated without consideration for inherent risks. 

An example of defining inherent risk is when a computer system vulnerable to malware does not have antivirus software installed. Thus, creating an inherent risk because there are no countermeasures in place to protect against the threat. 

The impact of inherent risks varies from industry to industry. Healthcare organisations, for example, have inherent cybersecurity risks that come with their data management systems due to storing large amounts of sensitive and personal information. Whereas financial institutions tend to have only a low-level inherent risk due to their use of sophisticated encryption technology for online banking. 

Residual risk 

Residual risk reduction is fundamentally important due to being a mandatory requirement of ISO 27001 regulations. Security standards that fall within the ISO/IEC 2700 group of best security practices help organisations of all sizes quantify the safety of assets before and after sharing them with associates and vendors. 

In order to comply with ISO 27001, businesses must conduct a residual security check alongside inherent security processes, before sharing any data. In 2021, residual risk attained an even higher level of importance when President Biden signed the Cybersecurity Executive Order. Organisations are now expected to reduce residual risk throughout their entire supply chain to limit third-party breaches and their impact by nation-state threat actors. CJ: Is there a fine or something driving this? Is there any mapping of the order that we can use to our advantage? 

To become ISO/IEC 27001 compliant and to follow Biden’s Executive order, organisations should combine attack surface monitoring solutions with residual risk assessment. 

Risk assessments  

Inherent risk assessments are designed to provide CISOS and security teams with a requirements framework for creating security controls. Besides this top-tier evaluation, inherent risk assessments have very little value. Residual risk assessments possess real value and can help identify and remediate exposures before they can be exploited by cybercriminals. 

The difference between residual risk and inherent risk assessments  

The main difference between residual and inherent risk assessments is that the former takes into account the influence of security controls and other mitigation solutions.  

The following are important elements for both assessment programs: 

  • Inherent likelihood: The likelihood of an incident occurring with no security controls in place. 
  • Inherent impact: The impact of an incident occurring without security controls in place. 
  • Residual likelihood: The likelihood of an incident occurring with security controls in place. 
  • Residual Impact: The impact of an incident occurring with security controls in place. 

When effective security controls are incorporated within any organisation, there is a discrepancy between residual and inherent risk assessments. The results of these assessments alone are not enough to verify compliance and should be validated with an independent internal audit.  

How RiskXchange can help  

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. We are a respected provider of cybersecurity ratings and can fully monitor internal and third-party attack surfaces to minimise risk. 

With full visibility over your eco-systems entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks.   

About RiskXchange 

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cybersecurity risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.  

RiskXchange is an information security technology company, which helps companies of all sizes fight the cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security. 

Find out more here