Information Security Handbook 2009. (†485)"Inherent and Residual Risk." Information Security Handbook (ISRMC, 2009).
- inherent risk : The risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls). . . Inherent Risk = Cost × Threat (†735)
- residual risk : The risk that remains after controls are taken into account (the net risk or risk after controls). . . . Residual Risk = Cost × Threat × Vulnerability. (†736)