AP Cybersecurity Unit 2 Lesson 4 Exercise 2

Unit 2 • 2.4 • Exercise 2

Exercise 2 — Risk Register Development

3 parts, 24 points — Build and prioritize a risk register for Ironclad Distribution

Score: 0 / 24Complete all 3 parts
Client Organization
Ironclad Distribution Center

Ironclad’s CISO needs you to build a risk register covering the distribution center’s top threats. For each risk, you will assess likelihood, impact, recommend treatment, and justify prioritization.

Part 1
Scenario: Identifying and Rating Risks
Ironclad faces three primary risks: (1) Ransomware attack on inventory system (previous attack cost $2.1M). (2) Insider theft of shipping manifest data (contains customer addresses and shipment values). (3) Power outage during peak shipping season (each hour of downtime costs $87,500).
8 points
1a. For each risk, assign a likelihood (1-5) and impact (1-5) rating and calculate the risk score. Justify your ratings.
Key terms: likelihood, impact, score, multiply, previous, history, cost, million, high, critical, moderate, season, customer, data
Model Response: Risk 1 — Ransomware: Likelihood 4 (High — already happened once, industry targeting is increasing), Impact 5 (Critical — $2.1M cost, full operational shutdown). Score: 20/25. Risk 2 — Insider theft: Likelihood 3 (Moderate — insider threats are always present but require specific motivation), Impact 3 (Moderate — manifest data is sensitive but not as costly as full system encryption). Score: 9/25. Risk 3 — Power outage: Likelihood 3 (Moderate — depends on infrastructure reliability and weather), Impact 4 (High — $87.5K/hour during peak season adds up quickly). Score: 12/25. Priority order: Ransomware (20) > Power outage (12) > Insider theft (9).
Part 2
Scenario: Recommending Risk Treatments
For each of the three risks rated in Part 1, recommend the most appropriate risk treatment (Mitigate, Transfer, Accept, or Avoid) and explain why.
8 points
2a. Assign a treatment type and specific action for each risk.
Key terms: mitigate, transfer, accept, avoid, EDR, backup, insurance, access control, DLP, UPS, generator, monitor, encrypt, segment
Model Response: Risk 1 — Ransomware: Mitigate + Transfer. Deploy EDR, network segmentation, and offline backups (mitigate). Purchase cyber insurance covering ransomware losses (transfer residual risk). Risk 2 — Insider theft: Mitigate. Implement DLP to detect bulk data downloads, enforce role-based access controls limiting manifest access to need-to-know staff, and enable audit logging on all manifest queries. Risk 3 — Power outage: Mitigate. Install UPS for immediate failover and a diesel generator for sustained outages. Test failover monthly during non-peak periods.
Part 3
Scenario: Cost-Benefit Analysis
The ransomware risk has an ALE of $840,000. The proposed countermeasure package (EDR + backups + segmentation) costs $275,000/year. Cyber insurance costs $180,000/year.
8 points
3a. Calculate whether the combined countermeasure + insurance investment is financially justified and explain your reasoning.
Key terms: ALE, cost, investment, justified, less than, savings, return, reduce, $840K, $275K, $180K, $455K, net benefit
3b. Explain what residual risk remains after implementing both the technical controls and insurance, and whether Ironclad should accept it.
Key terms: residual, remain, zero-day, novel, bypass, evolve, accept, monitor, review, annual, threshold, board
Model Response: Total investment: $275K + $180K = $455K/year. ALE: $840K/year. Net benefit: $840K - $455K = $385K/year in expected risk reduction. The investment is financially justified because it costs $455K to avoid $840K in expected annual losses.

Residual risks: (1) Zero-day ransomware that evades EDR detection. (2) Backup corruption if the attacker gains persistent access before backups rotate. (3) Insurance claim denial if Ironclad fails to meet policy compliance requirements. (4) Novel attack techniques that evolve beyond current controls. These residual risks should be formally accepted by the board after documented review, with a commitment to reassess annually and adjust controls as the threat landscape evolves.
Total Points
Lab 2.4 →Course Hub
← Exercise 1Lab 2.4 →
AP Cybersecurity 2.4 Exercise 2 | APCSExamPrep.com
AP® is a registered trademark of the College Board.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]