Unacceptable loss and residual risk
Our ultimate goal is to produce a fully secure app, but unfortunately we know that there is no such thing as a fully secure application.
It is therefore important to identify your unacceptable loss and residual risk.
An unacceptable loss are those assets that must never be compromised. Securing these assets should be your top priority. The risk assessment should identify security controls (we will define what these are shortly) to eliminate the risk to these assets.
In real life scenarios security controls only mitigate and reduce the likelihood of an attack but do not entirely eliminate the risk. The risk that is still present even after applying the security control is known as the residual risk.
Residual risk is not the same as acceptable risk, which is the risk to assets that are not worth the resources that would have to be spent to secure them.
Is the residual risk an acceptable risk?
This is often the key judgement that must be made. Have we (through applying security controls) reduced the risk to a level that we consider acceptable?
There are links to more detailed information about unacceptable loss and residual risk available from the bottom of this page.
© University of Southampton 2017