Inherent and Residual Risk

When we start working with financial institutions, we often find that there is a lot of confusion around how cybersecurity inherent risk and residual risk should be defined. The assessments seem to be driven by a desire to show only low residual risk levels, and this causes the assessor to reduce inherent risk to make the calculations work.

A successful risk assessment is one that accurately portrays risk levels both inherently and residually. Understanding how to define risk levels is crucial to a successful risk assessment.

There is a line in an Everlast song that says “Where you end usually depends on where you start”. This line describes inherent risk perfectly. Inherent risk is the likelihood and impact of a threat before there are any controls in place.

Many institutions make the mistake of including assumed controls in the inherent risk rating, which is wrong. If we are assessing Microsoft Office 365 and start with the assumption that data will not be breached because Microsoft does a lot to protect the data, we are assuming controls and have not properly measured inherent risk. The inherent risk of data being breached in Office 365 should be very high because many attackers would quickly breach the data without any controls in place, and because the data we are storing there might include customer data.

The motivational speaker Kevin Ngo has a quote that builds on the earlier Everlast quote: “Where you end up does not depend on where you start; it depends on which direction you choose to take from where you currently stand.”

In a risk assessment, the “direction you choose” refers to the controls which were chosen to reduce (or “mitigate”) risk. In the case of the earlier Office 365 assessment, we would inventory the controls that were in place (credentials, multifactor authentication, encryption, monitoring, conditional access, etc.) and assess the strength of those controls to mitigate the risk of a data breach.

At its simplest, residual risk is the inherent risk minus the control strength rating. If we started with an inherent risk for Office 365 of “Very High” and determined our control strength was strong, we might rate residual risk as “Moderate”. A “Moderate” residual risk rating might frighten some organizations, but given the initial rating of “Very High” it might not be possible to reduce the risk any lower. Management needs to either be comfortable with living with this risk level, look for stronger controls, or move away from Office 365.

Finally, there is a quote from Orson Welles that also applies to risk assessments: “If you want a happy ending, that depends, of course, on where you stop your story.” Remember that a risk assessment is a snapshot in time and needs to be adjusted as controls, product functionality, or product usage change. Any of these types of changes will impact the inherent and residual risk levels.

If an assessment of Office 365 was performed last week before customer data was placed in the environment, the addition of customer data this week will likely change both the inherent and residual risk levels. Once inherent risk, controls, and residual risk are well defined it becomes easier to adjust assessments when changes occur to ensure that the risk level is still acceptable.

Bedel Security helps institutions understand and manage their cybersecurity risk. If your institution needs help tuning risk assessments, please do not hesitate to email us at support@bedelsecurity.com.

Additional Resources:

The Scare of Miscellaneous Errors
https://www.bedelsecurity.com/blog/the-scare-of-miscellaneous-errors 

The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper

The Most Underrated Control in Information Security 
https://www.bedelsecurity.com/blog/the-most-underrated-control-in-information-security 

IT Risk Assessment vs. Vendor Risk Assessment Simplified
https://www.bedelsecurity.com/blog/it-risk-assessment-vs.-vendor-risk-assessment-simplified