iSACA Cybersecurity Fundamentals Certification Practice Exam

What is residual risk?

• A. The risk assumed by users
• B. The risk left after internal controls are implemented
• C. The risk profile of a company
• D. The risk measured by likelihood

The correct answer is: The risk left after internal controls are implemented

Residual risk refers to the amount of risk that remains after all appropriate measures have been taken to manage or mitigate identified risks. This concept is integral to risk management in cybersecurity and other fields, as it acknowledges that even with established controls, some level of risk will still persist. Implementing internal controls, such as security measures, policies, and procedures, is aimed at reducing risk to an acceptable level. However, no control can be 100% effective, so there will always be some degree of residual risk that organizations must acknowledge and address. It is crucial for organizations to conduct periodic assessments to evaluate this residual risk, as it informs their overall risk management strategy and helps in decision-making regarding additional controls or risk acceptance. The other options present different aspects of risk management but do not specifically define residual risk. For instance, the risk assumed by users could pertain to end-user behavior and its impact on overall risk but does not capture the essence of risk that remains post-control implementation. Similarly, a company's risk profile refers to its aggregate risk exposure and doesn’t focus on the risk remaining after mitigation efforts. The measurement of risk by likelihood addresses how likely an incident may occur but also does not define residual risk in the context of control effectiveness.