Skip main navigation
We use cookies to give you a better experience, if that’s ok you can close this message and carry on browsing. For more info read our cookies policy.
We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Unacceptable loss and residual risk

Our ultimate goal is to produce a fully secure app, but unfortunately we know that there is no such thing as a fully secure application.

It is therefore important to identify your unacceptable loss and residual risk.

Unacceptable loss

An unacceptable loss are those assets that must never be compromised. Securing these assets should be your top priority. The risk assessment should identify security controls (we will define what these are shortly) to eliminate the risk to these assets.

Residual risk

In real life scenarios security controls only mitigate and reduce the likelihood of an attack but do not entirely eliminate the risk. The risk that is still present even after applying the security control is known as the residual risk.

Acceptable risk

Residual risk is not the same as acceptable risk, which is the risk to assets that are not worth the resources that would have to be spent to secure them.

Is the residual risk an acceptable risk?

This is often the key judgement that must be made. Have we (through applying security controls) reduced the risk to a level that we consider acceptable?


There are links to more detailed information about unacceptable loss and residual risk available from the bottom of this page.


Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton

Contact FutureLearn for Support