In other words, the cost of the control should be significantly
            less than the value (benefit) provided by the control. A control
            cannot remove all risks - there will still be a remaining level of
            risk to the organization. This is the residual risk. The purpose of
            the risk mitigation effort should be to reduce the residual risk to
            a level that is equal to or less than the acceptable risk. Please
            note that residual risk is not the same term as risk acceptance.
            Residual risk is the total risk of less control effectiveness - the
            risk that remains after implementing a control. In contrast, risk
            acceptance is the threshold or level of risk that senior
            management is willing to accept. The goal of a risk mitigation
            effort is to ensure that the residual risk is less than or no more
            than the risk acceptance level set by management.

            Most risk controls address vulnerability and will reduce either
            the likelihood or impact of an adverse incident. A fire
            extinguisher, for example, does not reduce the likelihood of a
            fire - it only contains the amount of damage a fire may cause. A
            no-smoking policy in an area where flammable gases are present
            reduces the likelihood of fire but does not reduce the impact if
            there were to be a fire. It is practically impossible to eliminate
            the threats - those will continue to exist. All the analysts can
            hope for is to reduce the ability of that threat to pose an
            unacceptable level of risk to the organization.

            As seen earlier in the chapter, a control may be administrative
            (managerial), technical or logical, or physical. Good control is
            one that reduces risk but does not cause an undue impact on the
            operations of the organization.