Residual Offset

Residual offset is a constant added to a risk's exposure score that represents the irreducible component of that threat — the part no control fully removes. Examples: zero-day exploitation carries an offset of 30 (R07) and vendor lock-in carries an offset of 50 (R19). The concept maps to residual risk in NIST and ISO frameworks: even a maxed-out program still carries some baseline exposure.

Where this term fits in a CISO program

Residual Offset is one of 35 cybersecurity strategy concepts CISO Game models live. Residual Offset appears throughout the simulation — in the risk register, the investment catalog, and the mechanics reference — so a player encounters the concept in context rather than as an isolated definition.

See it in play

The fastest way to internalize Residual Offset is to watch it move during a 5-year program. Start a free CISO Game run to see how this concept interacts with budget, hiring, and incident response across 20 quarters of strategic play.

Related glossary terms

• RecoveryThe posture pillar measuring how fast you can restore business operations after …
• Regulator ClockDisclosure deadlines that start counting down the moment you confirm a material …
• ResponseThe posture pillar that measures how decisively your team contains and remediate…
• Risk ExposureA 0–100 number per tracked risk indicating residual likelihood × impact after cu…

← Regulator Clock · All terms · Response →

Play CISO Game free →