Residual risk is the level of risk that remains after security controls and other risk mitigation measures have been implemented. It is a fundamental concept in risk management, representing the risk that the organization has either consciously accepted or has not been able to eliminate. The formula is often expressed as: Residual Risk = Inherent Risk - Impact of Controls. This remaining risk must be formally addressed by management through acceptance, transference, or further mitigation efforts if it exceeds the organization's risk appetite.

1. National Institute of Standards and Technology (NIST). (2012). Special Publication (SP) 800-30 Revision 1

Guide for Conducting Risk Assessments.

Reference: Section 2.2.4

Page 11. The document states

"Residual risk is the risk that remains after risk responses have been implemented." The term is also formally defined in Appendix A

page A-10.

2. International Organization for Standardization (ISO). (2018). ISO/IEC 27005:2018

Information technology — Security techniques — Information security risk management.

Reference: Clause 3.13. This standard defines residual risk as the "risk remaining after risk treatment." "Risk treatment" is the process of implementing controls.

3. Anderson

R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems (3rd ed.). Wiley.

Reference: Chapter 25

Section 25.3.1

Page 868. The text explains

"The risk that remains after you’ve applied controls is called the residual risk; management must then decide whether to accept it

or to spend more on further controls."

4. Peltier

T. R. (2010). Information Security Risk Analysis (3rd ed.). Auerbach Publications.

Reference: Chapter 1

Page 6. The book defines residual risk as "the risk that remains after controls are implemented." It is described as a key output of the risk assessment process that informs management's risk acceptance decisions. (DOI: https://doi.org/10.1201/EBK1439839560)