I’ve noticed that there is often a communication breakdown when a security expert talks to upper management regarding exactly what is “risk.” While we may define risk as the probability of a threat overcoming security controls to exploit a vulnerability resulting in loss, the confusion lies in these assumed “security controls.” What security controls, if any, are we factoring in before gauging risk? For this reason, we need to clarify the difference between inherent risk and residual risk.
Inherent Risk – We can define inherent risks as the risk to a company in the absence of any security controls or actions that might be taken to alter, mitigate, or reduce either the likelihood or impact of a data loss. In other words, the inherent risk of a system is the risk that the system poses “out of the box,” before any processes, technologies, or people are put in place.
Residual Risk – The probability of loss that remains to systems that store, process, or transmit information after security measures or controls have been implemented. Implemented controls may include best practice control frameworks such as ISO 27002, and regulatory compliance requirements such as HIPAA or PCI.
Risk management is something that every one of us does every waking minute. Not a second goes by that we do not evaluate risk and make a decision based on our assessment. It becomes so automatic, that we are not entirely aware we are doing it.
A great example I like to use to illustrate the difference between inherent risk and residual risk is walking across the street. If you cross the street, there are a nearly infinite number of inherent risks. One of the inherent risks with a high probability and large impact would be getting hit by a car. So to mitigate this risk we implement the control of “looking left and right to check for oncoming traffic before crossing.” But this will not eliminate every possible risk and residual risks remain. For example, you could still be hit by a meteor because you did not look up.
Despite the devastating impact of such an event, we don’t look up for meteors when crossing the street because of the low probability of one hitting us. As security experts, our job is to determine when the cost of reducing risk is more than the cost of having the risk occur.
The purpose of defining inherent risk is so we can assess the residual risk and arrive at the optimal cost point:
Inherent Risk = Threats x Vulnerability
Residual Risk = Inherent Risk x Control Risk
The goal in the end is to link risk to budget.