What does "residual risk" mean?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Residual risk is "The security risk that remains after controls have been implemented" ISO/IEC TR 13335-1 Guidelines for the Management of IT Security (GMITS), Part 1: Concepts and Models for IT Security, 1996
"Weakness of an assets which can be exploited by a threat" is vulnerability.
"The result of unwanted incident" is impact.
Risk that remains after risk analysis has been performed is a distracter.
Risk can never be eliminated nor avoided, but it can be mitigated, transferred or accpeted.
Even after applying a countermeasure like for example putiing up an Antivirus.
But still it is not 100% that systems will be protected by antivirus.
The correct answer is A. Residual risk is defined as the risk that remains after controls have been implemented to mitigate or eliminate the initial risk. This residual risk exists because no control can completely eliminate the risk associated with a given asset, threat, or vulnerability. It is the risk that remains even after security measures have been put in place to reduce the likelihood or impact of a potential security incident.
In other words, residual risk is the remaining level of risk that an organization faces after implementing all of the necessary security controls to protect its assets. These controls can include preventive measures such as firewalls, intrusion detection systems, access controls, and encryption, as well as detective and corrective measures like incident response and disaster recovery plans. Even after these controls have been implemented, there is still a possibility that an attack or incident could occur, and residual risk represents the level of risk that remains.
It's important for security administrators to understand residual risk because it can help them prioritize their efforts and resources. They must identify the potential residual risk for each asset, evaluate the likelihood of it happening, and determine whether it's an acceptable risk or not. If the residual risk is deemed too high, administrators may need to implement additional controls or take other measures to reduce it further.