# Inherent, Residual, Total Risk One-sentence definition: Inherent = risk before controls; residual = risk after controls; total = residual plus risk introduced by controls. ## Key Facts - Inherent informs baseline severity and prioritization. - Residual must align with appetite; requires acceptance. - Controls can add complexity/new risks (misconfig, vendor lock-in). - Document deltas and assumptions; recalibrate after changes. - Use for ROI and treatment selection decisions. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose whether a scenario describes inherent or residual risk. **Mnemonic:** “**I → R (+C)**” → Inherent to Residual (plus Control risk). ## Mini Scenario Q: DLP reduces data leak risk but adds false positives—what is that? A: Control-introduced risk (part of total). ## Revision Checklist - Define all three terms. - Provide one example of control risk. - Explain acceptance criteria. ## Related [[Risk Analysis Metrics: SLE, ARO, ALE]] · [[Risk Register and Reporting]] · [[Risk Response Strategies]] · [[Security Control Assessment and Assurance]] · [[Security Metrics, KPIs, KRIs]] · [[Domain 1 - Index]]