Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
To implement effective cybersecurity, your organization needs a clear picture of the risks it faces in 2025 and beyond. Some of the leading information security worries for global organizations include ransomware (70%), geopolitical dangers (60%), social engineering attacks (40%), and GenAI-related vulnerabilities (45%). A key part of any organizational risk assessment is understanding what residual risk is and how to minimize it.
Residual risk is the percentage of risk that is left over after you factor in all mitigating activities, security controls, and other risk-reducing actions. In other words, it’s the risk that remains after your business has taken steps to safeguard operations, processes, products, and policies.
It’s impossible to talk about cybersecurity without involving residual risk — especially as infosec threats become more complex. To protect organizational data and prevent cyberattacks, you need to take defensive measures: risk awareness, antivirus tools, access monitoring, etc. Even after taking these vital steps, some risks usually remain. These potential threats are known as residual risks.
Whether your company processes payment card data or customizes cloud storage solutions, you must have a plan for managing residual risk. The growth of e-commerce in B2B and B2C industries means that virtually all small, medium, and large enterprises must make important decisions around residual cybersecurity risks.
It’s easier to understand the definition of residual risk if you think of the effect of seatbelts. There were over 12 million crashes and 5 million car accident injuries in the United States in 2022, leading to losses of nearly $500 billion. When drivers and passengers use seatbelts, the risks of severe or fatal injuries drop drastically — by 60% in the case of trucks and SUVs.
In this example, seatbelts and airbags are excellent tools for risk mitigation. They save lives and prevent devastating outcomes in many crashes.
Unfortunately, seatbelts don’t offer 100% protection against car accident injuries. Some drivers who are bucked up still end up in the hospital or worse as a result of unexpected crashes. Driving an automobile always has residual risks, even with protective systems like seatbelts in place.
To deal with social engineering threats (e.g., phishing and vishing), many organizations implement employee training policies, email filtering frameworks, redirect-prevention security tools, and Single Sign-On programs for logins. These measures can be very effective at protecting your company from cyberattacks, but they’re not foolproof.
Even when your organization follows a risk-oriented compliance framework, bad actors may still find ways to obtain login credentials: old-school pretexting attacks, monetary incentives, third-party vulnerabilities, and compromised websites. How you deal with these residual risks in cybersecurity often depends on the size of your workforce and the compliance requirements you have to meet.
Whereas residual risk applies to your level of risk after controls and mitigations have been established, inherent risk is the total risk without any controls in place. Inherent risk can come into play in several situations:
An in-depth risk assessment should analyze both inherent and residual risks.
Don’t make the mistake of thinking that residual risk is harmless. Phishing attacks made up the vast majority of cybercrime in 2023, impacting nearly 300,000 individuals in the United States alone.
Some of the affected companies may have been lax in their cybersecurity practices, but even high-profile brands have faced embarrassing data breaches and damaging ransomware attacks. Seemingly “acceptable” residual risk can hide critical vulnerabilities that your company isn’t aware of — exactly what cybercriminals are looking for to launch their next attack.
Another reason it’s important to know what residual risk is in your business revolves around the cost of mitigation efforts. In a perfect world, your business would have endless resources to build impenetrable cybersecurity defenses, but that’s not realistic for many small and mid-sized organizations these days.
Even worldwide brands have limits to how much they can feasibly spend on physical security, cybersecurity professionals (e.g., hiring a CISO), and real-time monitoring. Being realistic, your company must decide what amount of residual risk is acceptable for your circumstances, resources, and goals.
Calculating and addressing residual risk is part of the mandatory risk assessment framework that any company needs to follow for ISO 27001 compliance. ISO 27001 is a leading cybersecurity standard for U.S. and EU businesses — especially in the finance, software development, and data processing industries.
Having a clear picture of your residual risk is helpful when it’s time to make budget decisions for cybersecurity, regulatory compliance, and business operations. Depending on the nature and impact of residual risks, you can quickly identify the most important areas for improvement and the cybersecurity measures that offer the greatest potential return on investment for your company.
There is a residual risk formula that makes it easy to calculate, but you need plenty of organizational data to reach an accurate conclusion. The formula for residual risk is:
Costs of inherent risk – effect of controls = Residual risk
After pinpointing your company’s residual risk, you’re in a position to decide how to respond. There are several options:
The one thing you can never afford to do is completely ignore risks — even residual ones.
It’s not enough to know what residual risk is. To truly safeguard sensitive information, you must know where your most serious vulnerabilities are. Cybersecurity compliance platforms such as Compyl make it easier to identify, evaluate, track, and minimize residual risk. Learn how to create data-driven policies for your risk framework. Contact us for more information today.
