**The system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk contains a process for determining residual risk. **

**You will learn:**

This process references US patents 11,379,773, 11,282,018, 10,453,016, 10,395,201, and 9,747,570.

The residual risk system, method, and apparatus is just one component of the entire system, method, and apparatus for measuring, modeling, reducing, and addressing cyber risk.

The residual risk component expands into a defined system, method, and apparatus for measuring, modeling, and reducing control deficiencies.

Residual risk expands into additional detail. (1) Residual risk model expands into a process that determines residual risk amongst the 110 risk scenarios. (2) Residual risk results expands into a sample output. (3) Residual risk ranking expands into a sample prioritization of residual risk. (4) Addressing residual risk expands into a sample set of decisions.

**Residual Risk Model**

This system, method, and apparatus processes the inherent risk model results and control effectiveness model results, using the formula, Inherent Risk x (1 – Control Effectiveness) = Residual Risk, for each of the 110 risk scenarios.

This system, method, and apparatus repeats the above logic for each of the 110 risk scenarios.

**Residual Risk Results**

This system, method, and apparatus displays the residual risk grid to the operator. This system, method, and apparatus uses the residual risk grid to prepare historical trends, maximum residual risk per threat category graphs, aggregate residual risk per threat category graphs, and top 5 residual risk scenarios.

This systems, method, and apparatus may use a color scale overlay to help the operator better see where high residual risk exists within the grid. Dark colors represent higher residual risk, while lighter colors represent lower residual risk.

This system, method, and apparatus supports current and monthly residual risk modeling, and results. As such, it is possible to generate residual risk trending based on shifts in threat, impact, control effectiveness due to historical and cyber risk intelligence data and operator inputs. A macro residual risk value is the average maximum residual risk amongst all threat categories.

This system, method, and apparatus generates maximum residual risk per each threat category. When viewed in graph format, the operator can see which maximum residual risks are most concerning.

**Residual Risk Ranking**

This system, method, and apparatus automatically ranks all residual risk results. The operator can use the rankings to reduce residual risk.

The operator may use the residual risk ranking to prioritize finite enterprise budget and other finite enterprise resources.

**Addressing Residual Risk**

This system, method, and apparatus automatically empowers the operator, with a residual risk grid, residual risk trend analysis, and residual risk rankings, to inform decisions regarding addressing residual risk.

If the residual risk conditions are undesirable to the enterprise, then the operator has several options for addressing residual risk.

In the above diagram, the operator may determine the residual risk condition is desirable. In such a case, the operator may select to accept the residual risk condition.

In the above diagram, the operator may determine the residual risk condition is undesirable. In such a case, the operator may select to reduce, transfer, or remove the residual risk. Residual risk mitigation may consist of blocking and monitoring threat using technology and/or implementing/improving controls (countermeasures), residual risk transfer may consist of transferring residual risk to a cyber insurance policy or 3rdparty via legal contract, and residual risk removal may consist of removing assets or record types associated with high residual risk conditions.

With the use of system, method, and apparatus, an enterprise could achieve automatic decision analysis and near real time addressing of residual risk.

## Comments