AP Cybersecurity Unit 2 Lesson 4 Lab
Unit 2 • 2.4 • Lab
Lab — Operation Risk Map: Risk Assessment Investigation
6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis
Score: 0 / 30Each step uses a different assessment format
Investigation Target
Pinnacle Wealth Advisors
Pinnacle suffered a data breach despite completing a risk assessment 6 months ago. The board wants to know why. You are auditing the methodology: scope, threat identification, risk scoring, control selection, and implementation tracking.
Step 1Matching
Classify Risk Treatment Decisions
Pinnacle documented three risk treatments. Match each to its type.
✎ Think first: Mitigate = reduce with controls. Transfer = shift to third party. Accept = acknowledge, no action.
Deployed EDR on trading workstations to detect ransomware
→
Purchased $50M cyber insurance from a major insurer
→
Rated phishing as “Low” and took no action
→
EDR deployment = Mitigate (reduce with technology). Insurance = Transfer (shift financial risk to insurer). No action on phishing = Accept (acknowledge without controls).
Exam Tip: Four treatments: Mitigate (reduce), Transfer (shift), Accept (acknowledge), Avoid (eliminate activity). “Accept” is valid only for low-risk items below the organization’s risk appetite threshold.
Step 2Fill in the Blank
Complete Risk Assessment Vocabulary
Fill in the correct risk assessment term for each blank.
✎ Think first: These are the core formulas and concepts tested on the exam.
The cost per incident is Single Loss (SLE).
ALE = SLE × Annual Rate of (ARO).
Risk after controls are applied is called risk.
Rating risks as High/Medium/Low is a method.
Overriding data with “it won’t happen to us” is bias.
Answers: (1) Expectancy. (2) Occurrence. (3) Residual. (4) Qualitative. (5) Optimism.
Exam Tip: ALE = SLE × ARO is the most-tested quantitative formula. Residual risk always exists — no control eliminates risk to zero. Optimism bias is the #1 assessment pitfall.
Step 3Select All That Apply
Identify Risk Register Problems
Pinnacle listed “firewall” as the sole control for 34 of 40 risks. Select ALL problems.
✎ Think first: What happens when one device is responsible for 85% of your risk mitigation?
Correct: Single point of failure (A), no diversity (B), vector mismatch (D). Wrong: “Too many controls” (C) misidentifies the problem — the issue is too FEW control types. Firewalls (E) are valid controls, just not the only one needed.
Exam Tip: If your risk register shows the same control for most risks, the assessment has failed. Diverse controls = diverse failure modes = no single point of failure.
Step 4Multiple Choice
Identify the Root Cause
The assessment had: narrow scope, optimism bias, single-control reliance, and unimplemented recommendations. What was the root cause?
✎ Predict first: What organizational attitude produces ALL of these failures simultaneously?
B is correct. The pattern — narrow scope, biased scoring, single control, no implementation — reveals a compliance-driven exercise. The assessment existed on paper but was never intended to drive real security decisions.
Exam Tip: Root cause of assessment failures is almost always organizational: treating risk assessment as paperwork rather than a decision-making tool. Well-executed assessments DO reduce breach probability.
Step 5Analysis
Calculate Cost-Benefit
ALE: $840K/year. Proposed controls: $275K (EDR+backups) + $180K (insurance) = $455K/year total.
5a. Is the $455K investment financially justified?
5b. What residual risks remain after both controls and insurance?
Key terms: zero-day, novel, bypass, evolve, claim denial, compliance, residual, accept, board, reassess
B is correct. $455K < $840K = net $385K benefit. Residual risks: Zero-day ransomware evading EDR, backup corruption from persistent access, insurance claim denial for non-compliance, novel techniques evolving beyond current controls. Board must formally accept residual risk.
Exam Tip: ALE justifies security spending: if controls cost less than ALE, the investment is rational. Residual risk always exists and must be formally accepted, not ignored.
Step 6Written Response
Write the Assessment Improvement Plan
Write three specific improvements to Pinnacle’s risk assessment process. Each must address a failure identified in this investigation.
Key terms: scope, remote, all environments, data-driven, evidence, industry, diverse controls, owner, deadline, budget, track, implement, continuous, trigger-based
Model: 1: Expand scope to include all environments (remote, cloud, mobile) — addresses the narrow scope that excluded the attack vector. 2: Replace subjective scoring with evidence-based ratings using industry data and pen test results — addresses optimism bias. 3: Require every recommendation to have an assigned owner, deadline, and budget with monthly tracking — addresses unimplemented controls.
Exam Tip: Assessment improvements must be process changes, not just technical fixes. Expand scope, use evidence over opinion, and enforce implementation accountability.
AP Cybersecurity 2.4 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.
AP® is a registered trademark of the College Board.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]