Residual Risk

As we discussed in the context of an overall cybersecurity risk management process, there are four major steps:

Let us concentrate now on the last point. It is worth repeating that risk can never really be entirely eliminated. There will always be residual risk. That is simply a fact of business life. It is much more important to think in terms of what level of risk you are willing and able to live with, or “tolerate”, in formal jargon. You don’t necessarily have to bring down risk to a zero level – you only have to bring it down to a level that you are willing to tolerate. If the residual risk is tolerable for you, then nothing needs to be done – your cybersecurity risk management process is in good shape for now.

But what if the level of residual risk is more than you are willing to tolerate? Then you have to make some decisions – you have to manage your residual risk. The possibilities include:

Risk acceptance. Management can decide that the best course of action is to simply accept the risk, to “take your chances”. In that case, it must be a formal action so that the responsibility for doing so is clear.

Risk reduction. If management feels the level of residual risk is intolerable, then it could go back to the third step of the process and search for other possible mitigation measures to lower the risk. This may involve a search for new measures that haven’t been tried yet, or may involve spending more money on measures that have already been tried. For example, it might buy a more technologically advanced firewall or install expensive data monitoring software, or introduce more complex multiple factor authentication schemes. Here, a tradeoff between expense and benefit of the new measures will have to be managed.

Risk avoidance. If management is neither willing to accept the residual risk nor willing (or able) to spend the extra money to lower the level of risk, then it might search for a way to avoid the risk altogether. For example, if the risk of cyber-intrusion remains too high for certain critical data, then management might take a decision to take the data offline – to physically close off that data from the Internet, thereby eliminating the cybersecurity risk. Note that this may mean the loss of certain functionality (such as convenient remote access to data), but that is part of the tradeoff to consider.

Risk sharing / insurance. This is where a whole new perspective opens up: bring in the concept of insurance to the cybersecurity landscape. Insurance allows the enterprise to avoid having to adopt one of the other options by sharing risk through an appropriate policy. Cyber risk insurance is becoming a more and more attractive solution to the problem of residual risk management because it is quick and efficient to implement without undue disturbance to the operations of the enterprise. It can be particularly attractive for smaller enterprises who do not necessarily have the resources to undertake the possibly onerous investigations and analyses associated with risk reduction and avoidance measures. Although cyber security insurance is at its beginnings, it is increasingly occupying a well-defined niche in the overall cybersecurity risk management process.

By adopting the systematic approach outlined above to the management of residual risk, management ensures that nothing is overlooked in the search for the best solution that not only mitigates negative risk, but also maximizes positive risk (opportunities) and safeguards the bottom line of the company.


Castilla y León as a leading region in Spain’s cybersecurity thanks to the Cybersecurity Innovation Hub

The Cybersecurity Innovation Hub, just presented on its first 2019 event on the 18th of February in León (Spain) is a digital ecosystem around cybersecurity and advanced technologies, mainly directed at companies to help them carry out their digital transformation in a safe digital environment.

Future Events

ICDS 2019, The Thirteenth International Conference on Digital Society and eGovernments
21/02/2019 to 28/02/2019

From February 24th to the 28th, 2097, the ICDS 2019, The Thirteenth International Conference on Digital Society and eGovernments will be host in Athens, Greece.

The event will focus on state-of-the-art public services, e-government services in the context of digital society, Internet and web services, digital intelligence, networking and telecommunications, e-commerce, e-business and other areas.

Global Cyber Security Summit

Global Cyber Security Summit

Developing a Robust Cyber Defense Strategy

Please Note: This program is under Chatham House Rule