CISSP-ISSEP · Question #212
Which of the following statements is true about residual risks?
The correct answer is C. It is the probabilistic risk after implementing all security measures.. Residual risk is the risk that remains after an organization has implemented all planned security controls and safeguards. Option C is correct because no security program can eliminate 100% of risk - what's left over is the residual risk, and it's inherently probabilistic since t
Question
Which of the following statements is true about residual risks?
Options
- AIt can be considered as an indicator of threats coupled with vulnerability.
- BIt is a weakness or lack of safeguard that can be exploited by a threat.
- CIt is the probabilistic risk after implementing all security measures.
- DIt is the probabilistic risk before implementing all security measures.
How the community answered
(54 responses)- A4% (2)
- B7% (4)
- C87% (47)
- D2% (1)
Explanation
Residual risk is the risk that remains after an organization has implemented all planned security controls and safeguards. Option C is correct because no security program can eliminate 100% of risk - what's left over is the residual risk, and it's inherently probabilistic since threats and outcomes are uncertain.
Why the distractors are wrong:
- A describes risk itself (threat × vulnerability), not the residual portion specifically.
- B defines a vulnerability - a weakness that can be exploited - which is a component of risk, not residual risk.
- D describes inherent risk - the baseline risk before any controls are applied. Residual is the after picture, not the before.
Memory tip: Think of it like sunscreen. Inherent risk = chance of sunburn with no sunscreen. Residual risk = the remaining chance of sunburn after applying sunscreen. You reduced it, but it's not zero.
Topics
Community Discussion
No community discussion yet for this question.