Residual Risk

As we discussed in the context of an overall cybersecurity risk management process, there are four major steps:

Let us concentrate now on the last point. It is worth repeating that risk can never really be entirely eliminated. There will always be residual risk. That is simply a fact of business life. It is much more important to think in terms of what level of risk you are willing and able to live with, or “tolerate”, in formal jargon. You don’t necessarily have to bring down risk to a zero level – you only have to bring it down to a level that you are willing to tolerate. If the residual risk is tolerable for you, then nothing needs to be done – your cybersecurity risk management process is in good shape for now.

But what if the level of residual risk is more than you are willing to tolerate? Then you have to make some decisions – you have to manage your residual risk. The possibilities include:

Risk acceptance. Management can decide that the best course of action is to simply accept the risk, to “take your chances”. In that case, it must be a formal action so that the responsibility for doing so is clear.

Risk reduction. If management feels the level of residual risk is intolerable, then it could go back to the third step of the process and search for other possible mitigation measures to lower the risk. This may involve a search for new measures that haven’t been tried yet, or may involve spending more money on measures that have already been tried. For example, it might buy a more technologically advanced firewall or install expensive data monitoring software, or introduce more complex multiple factor authentication schemes. Here, a tradeoff between expense and benefit of the new measures will have to be managed.

Risk avoidance. If management is neither willing to accept the residual risk nor willing (or able) to spend the extra money to lower the level of risk, then it might search for a way to avoid the risk altogether. For example, if the risk of cyber-intrusion remains too high for certain critical data, then management might take a decision to take the data offline – to physically close off that data from the Internet, thereby eliminating the cybersecurity risk. Note that this may mean the loss of certain functionality (such as convenient remote access to data), but that is part of the tradeoff to consider.

Risk sharing / insurance. This is where a whole new perspective opens up: bring in the concept of insurance to the cybersecurity landscape. Insurance allows the enterprise to avoid having to adopt one of the other options by sharing risk through an appropriate policy. Cyber risk insurance is becoming a more and more attractive solution to the problem of residual risk management because it is quick and efficient to implement without undue disturbance to the operations of the enterprise. It can be particularly attractive for smaller enterprises who do not necessarily have the resources to undertake the possibly onerous investigations and analyses associated with risk reduction and avoidance measures. Although cyber security insurance is at its beginnings, it is increasingly occupying a well-defined niche in the overall cybersecurity risk management process.

By adopting the systematic approach outlined above to the management of residual risk, management ensures that nothing is overlooked in the search for the best solution that not only mitigates negative risk, but also maximizes positive risk (opportunities) and safeguards the bottom line of the company.


EU to strenghten its expertise in cybersecurity research, technology and industrial developmen

Europe is stepping up its protection against cybersecurity threats, and is discussing a new structure of pool of expertise which will help secure the digital single market and increase the EU’s autonomy in the area of cybersecurity.

Europe is currently working on the establishment of a top knowledge base for cybersecurity and a network of national cybersecurity coordination centres called the European Cybersecurity Industrial, Technology and Research Centre and the Network of National Coordination Centres.

Future Events

Cyber Insurance and its Contribution to Cyber Risk Mitigation - Leiden March 25-29
25/03/2019 to 29/03/2019

The rise in both the scale and severity of recent cyberattacks demands new thinking about cybersecurity risk and the mitigation and transfer of that risk. Cyber insurance is one potential way to manage risk by transferring damage liability, but the cyber insurance market is immature and the understanding and actuarial knowledge of cyber-risk is currently underdeveloped.

e-SIDES workshop 2019

e-SIDES workshop: Towards Value-Centric Big Data: Connect People, Processes and Technology


2 April 2019

10am to 4pm


e-SIDES is a research project funded by European Commission H2020 Programme that deals with the ethical, legal, social and economic implications of privacy-preserving technologies in different big data context.