(threats x vulnerability x asset value) x control gap-residual risk is the amount of risk remaining after the countermeasure has been implemented. To figure out the actual resdidual risk, the team must identify and calculate the risk, which is: threats x vulnerability x asset value. Then, the team must calculate the control gap, which is what the countermeasure cannot provide protection for. The result is residual risk. a company must decide if the residual risk falls within their acceptable level or risk. If it does, and a cost-benefit analysis has been carried out, then the countermeasure can be purchased and installed.
