Oct 27, 2024
Introduction
When it comes to application security, especially in sectors like fintech, healthcare, and financial services, understanding and managing risks is a critical part of the development lifecycle. One of the first steps in this process is assessing the risk inherent in your system or application before implementing any security controls.
Whether you're integrating security into your SDLC (Software Development Life Cycle) or managing the risk profile of your applications, knowing the difference between risk inherent to your system and residual risk can help you make informed decisions about controls and mitigations.
In this article, we'll walk you through both types of risks and explore how to effectively manage them within the context of building secure software systems.
Next, we talk about the risks - inherent and residual.
Definition and Understanding of Risks
At a fundamental level, risks are uncertainties that can impact your project, system, or operation. In application security, risks represent the potential vulnerabilities and threats that could compromise the integrity, confidentiality, and availability of your software. Two major types of risk exist in any security context: inherent risk (risk inherent to a system) and residual risk.
Inherent risk is the risk inherent in a situation or environment before any security measures are applied.
Residual risk is the remaining risk after controls, mitigations, and other defensive measures have been implemented.
Inherent Risk
Inherent risk refers to the initial or raw level of risk associated with a process, system, or application, assuming there are no security controls in place. This is the risk you are exposed to by default simply by being in the given context (e.g., developing a fintech application that handles sensitive customer data). It is important to assess this risk first, as it forms the baseline from which all risk mitigation activities will be measured.
For developers, this might mean the vulnerabilities that exist in a framework or platform you are using before any additional security measures like encryption, authentication, or input validation are implemented.
Examples of Inherent Risk in Cybersecurity
Unintentional Data Loss
Accidental file deletion by authorized users represents an inherent cybersecurity risk, as it can occur gradually without adequate safeguards in place. To mitigate the potential for serious repercussions, such as complete data loss, companies must adopt backup storage solutions and encryption measures.Improper Data Handling
When employees misuse sensitive information for personal purposes—like accessing bank statements—they risk violating company policies, which can lead to legal action from customers. The absence of effective internal controls or security protocols related to data management can result in data loss or theft.Weak Password Practices
The use of default or overly simple passwords is a prevalent issue in both professional and personal contexts. External threats often target these weak passwords in the initial stages of credential stuffing or brute-force attacks due to their high success rates.
These risks exist regardless of the actions you take. Without proper implementation of security controls, these vulnerabilities are likely to be exploited.
Residual Risk
Residual risk represents what’s left after you’ve applied mitigations and security controls. It’s the risk that remains despite efforts to reduce vulnerabilities, secure code, and protect your system. No system is ever risk-free, and residual risk helps organizations focus on risks that can't be fully eliminated but need to be managed within acceptable limits.
For developers, this might mean that after implementing security protocols, encryption, and regular patching, certain risks may still exist due to factors such as zero-day vulnerabilities or unintentional human errors.
The goal in application security is to align residual risk with your organization’s risk appetite — how much risk an organization is willing to accept. This is a key decision in risk management and varies depending on the industry.
Examples of Residual Risks in Cybersecurity
Third-Party Cyber Attacks
These attacks occur when an external entity targets an organization's computer network with the intention of disrupting, disabling, or controlling the information stored within. Since such attacks are executed by outside actors, it is nearly impossible to predict when they might occur. Consequently, even with preventative measures in place, a third-party cyber attack remains a potential risk for any organization.Email Phishing
Email phishing involves an attacker sending emails designed to obtain personal information or gain unauthorized access to a system. These phishing emails are often crafted to appear as if they come from trusted sources—such as company executives or departments like HR or customer service—when, in fact, they are sent by third parties with malicious intentions.Internal Information Theft
While cyber attacks are frequently associated with anonymous external actors, it's important to recognize the potential for sabotage by individuals within the organization, such as disgruntled employees or contractors. To mitigate inherent risks related to the mishandling of personal data and the misuse of privileged accounts, implementing logging and monitoring software can reduce the likelihood of these attacks. However, internal threats should still be viewed as a residual risk.
Next, we compare inherent and residual risk.
Inherent vs. Residual Risk: What are the Differences?
It's important to understand the difference between inherent risk and residual risk.
Inherent risk refers to the inherent likelihood of a cybersecurity event occurring due to insufficient countermeasures. Conversely, residual risk is what remains after implementing risk mitigation strategies and internal controls. This distinction is crucial, as residual risk can be assessed independently of inherent risks.
For instance, a computer system lacking antivirus software is highly vulnerable to malware, resulting in a significant inherent risk due to the absence of protective measures.
In contrast, residual risk is the remaining threat when antivirus software is installed and the user frequently updates their passwords. Residual risks encompass social engineering tactics, phishing attempts, and malware infections. These risks persist regardless of the robustness of cybersecurity controls. The rapid pace of digital transformation is broadening the attack surface and increasing digital risks, making residual risks dynamic and necessitating a more holistic approach to cybersecurity.
For example, even a staff member trained to identify phishing emails may still fall prey to fraudulent phone calls seeking login credentials. Therefore, it is insufficient to address residual threats in isolation; comprehensive monitoring of the entire threat landscape is essential.
Inherent Risk: The impact and likelihood are at their highest because no security controls are in place. Without proper measures, your application could face significant threats.
Residual Risk: After implementing controls, the impact and likelihood should reduce significantly, although not completely. The residual risk is what remains even after best practices are applied.
Risk TypeImpact (No Controls)Impact (With Controls)Likelihood (No Controls)Likelihood (With Controls)Inherent RiskHighN/AHighN/AResidual RiskN/AReducedN/AReduced
How is Inherent Risk Identified?
Inherent risk can be identified by conducting an audit of existing operations and the overall business environment. This involves examining daily processes, market trends, economic conditions, industry regulations, and assessing competitor activities.
How is Residual Risk Identified?
Residual risk can be identified by conducting audits and reviewing processes after implementing protective controls within the organization. This includes performing penetration tests, sending test phishing emails to employees, and utilizing other methods to evaluate the effectiveness of current cybersecurity measures.
Key Factors To Consider While Considering Inherent Risk
Here are the essential factors to evaluate when determining inherent risk:
1. Asset Nature and Sensitivity
The characteristics and sensitivity of an asset play a crucial role in its inherent risk. Assets that hold sensitive or confidential information—like customer data, intellectual property, or trade secrets—are inherently more valuable and vulnerable to exploitation by malicious entities. Additionally, assets vital to business functions, such as critical infrastructure or proprietary technologies, carry a higher inherent risk because their compromise could significantly impact the organization's stability.
2. Threat Environment
The threat landscape surrounding an organization significantly affects its inherent risk profile. Elements like the frequency, sophistication, and persistence of potential threats—ranging from cyberattacks and insider threats to fraud schemes — shape the overall level of inherent risk. Organizations situated in industries or regions with a higher incidence of cybercrime or political instability may experience greater inherent risks than those in more stable settings.
3. Industry and Regulatory Factors
Various industries or regulatory frameworks establish specific requirements and standards for security and compliance, thereby influencing the inherent risks that organizations face. For instance, healthcare providers bound by regulations like Health Insurance Portability and Accountability Act (HIPAA) should address inherent risks related to patient privacy and data protection. Likewise, financial institutions governed by standards like the Payment Card Industry Data Security Standard (PCI DSS) confront inherent risks linked to financial fraud and transaction security.
4. Complexity and Interconnectedness
The intricacy and interconnectedness of assets, systems, and processes within an organization affect its inherent risk profile. Highly complex or interdependent assets may exhibit greater inherent risk due to the likelihood of cascading failures or vulnerabilities. For example, a centralized database that holds critical business information represents a single point of failure, which, if compromised, could lead to widespread repercussions across the organization's operations and its stakeholders.
Next, we discuss how to measure inherent risks.
How to Measure Inherent Risks?
Inherent risk is evaluated based on two key criteria: impact and likelihood.
Inherent impact refers to the effect an event would have on an organization if it were to occur, rated on a scale from negligible to extreme. Inherent likelihood addresses the chance of a risk materializing without any controls in place. These two factors are multiplied together to produce an inherent risk score. Most auditing standards assess the potential impact of this score on the overall security posture of an organization.
In the finance sector, one approach to assessing inherent risk is through the Cybersecurity Framework established by the Federal Financial Institutions Examination Council (FFIEC). The FFIEC has created an assessment protocol that assists financial organizations in evaluating their risk levels to develop an inherent risk profile.
Additionally, inherent risks can stem from external elements such as vendors, third parties, or service providers that have access to your network. Measuring these risks can be challenging, as it requires a deep understanding of each third party's security programs. The most effective way to assess third-party inherent risks is by using an attack surface monitoring solution.
Conclusion
Inherent risk and residual risk are both critical in understanding and managing security in software development. Inherent risk, or risk inherent to the process itself, is the baseline level of exposure without controls, while residual risk is what remains after mitigations. The difference lies in the impact and likelihood before and after security measures are applied.
Effective risk mitigation starts with identifying inherent risks and implementing strong controls to minimize residual risks. Continuous assessment, adapting controls, and aligning residual risk with organizational risk appetite will help you stay ahead in protecting your applications from evolving security threats.
However, the best way to detect these issues early in the SDLC and threat modeling is through the addition of security design reviews. They help to identify potential risks and come up with adequate security measures, ensuring developers don't induce these issues in the first place.
At Seezo.io, we simplify a key part of security: incremental threat modeling. By providing security requirements early in the process, Seezo helps prevent many vulnerabilities from being introduced into the code when implemented properly. This approach ensures that applications are built with security in mind from the start.
Take control of your threat posture line with Seezo.io today. Here's a chance to book your first demo!