Quiz Entry - updated: 2026.06.20
What should happen to residual risks after threat modeling?
Escalate them to management to decide whether the unmitigated threat is acceptable — accepting risk is a business call, not a developer's.
Residual risks (threats you can't fully mitigate) should be escalated for management review to determine if the unmitigated threat is acceptable to the project as a whole.
Benefits of threat modeling for the whole team:
- Raised awareness of design and implementation implications
- Higher overall code quality
- Greater management visibility of security controls
Key point: Security decisions about acceptable risk are business decisions, not just technical ones.