Risk Assessment & Risk Strategies | AP Cybersecurity

AP Cybersecurity Topics › Risk Assessment
Unit 2 • Topic 2.1 • Cyber Foundations

Cybersecurity Risk Assessment & Risk Strategies Explained

Risk occurs when a threat can exploit a vulnerability to compromise an asset. Topic 2.1 asks you to describe the risk-assessment process and identify strategies for handling risk once it is measured.

Contents

  1. How risk is assessed
  2. The four risk strategies
  3. Real-world example
  4. Key terms
  5. Match it up
  6. Check for Understanding
  7. FAQ
Riskthreat + vulnerability + asset
2factors: likelihood, severity
4risk strategies
LikelihoodHow likely is exploit?SeverityHow bad is the impact?vs
Risk weighs likelihood against severity; high-high means high risk.

How risk is assessed

Risk exists when a threat can exploit a vulnerability to compromise an asset. An asset is anything valuable: data, money, intellectual property, infrastructure, physical property, or reputation.

Assessment weighs two factors: the likelihood that a vulnerability is exploited and the severity of the resulting attack. High likelihood plus high severity equals high risk.

Scenario

A server holding customer data has an unpatched flaw that attackers are actively exploiting. Is this high or low risk?

Reveal answer

High risk. The likelihood is high (actively exploited) and the severity is high (customer data is a valuable asset), so both factors point to high risk.

Exam tip

Remember the formula in words: risk rises when a likely exploit meets a severe consequence. Both factors matter, not just one.

The four risk strategies

Once risk is assessed, an organization chooses a response. Avoidance stops the risky activity entirely. Transference shifts the burden to another party, such as insurance. Mitigation implements security controls to reduce the risk.

Whatever is left after a strategy is applied is residual risk, which an organization may choose to accept. Choices are also shaped by cost: you do not spend more protecting an asset than it is worth.

Scenario

A company buys cyber insurance to cover potential breach costs. Which risk strategy is this?

Reveal answer

Risk transference. The company shifts the financial burden of the risk to the insurer rather than removing or reducing the risk itself.

Real-world example

Why patching is risk-based

Teams cannot fix every flaw at once, so they rank by likelihood times severity: an actively exploited flaw on a critical server is patched before a low-severity one. That ranking is risk assessment driving action.

Both factors matter, not just one.

Key Terms

Risk A threat exploiting a vulnerability to compromise an asset.
Asset Anything valuable: data, money, infrastructure, reputation.
Mitigation Reducing risk by adding security controls.
Transference Shifting the risk burden to another party, like insurance.
Residual risk The risk that remains after a strategy is applied.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.
Term
Definition
All matched. Nice work.

Common Mistakes

!

Judging risk by one factor

Risk needs both likelihood and severity. A severe but near-impossible event is not automatically high risk.

!

Confusing mitigation with avoidance

Mitigation reduces risk with controls; avoidance stops the activity altogether.

!

Forgetting residual risk

Controls rarely eliminate risk; what remains is residual risk that may be accepted.

!

Overspending on low-value assets

Protection should not cost more than the asset is worth.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.
Question 1
Risk exists when:
A. Risk is the combination of a threat, a vulnerability it can exploit, and a valuable asset at stake.
Question 2 Predict first
A company stops offering a feature because it is too risky to secure. Which strategy?
C. Stopping the risky activity entirely is risk avoidance.
Question 3
Risk assessment weighs which two factors?
B. Assessment considers the likelihood of exploitation and the severity of the resulting attack.
Question 4
Which are recognized risk strategies? I. Avoidance. II. Transference. III. Mitigation.
D. Avoidance, transference, and mitigation are all risk strategies, along with accepting residual risk.
Question 5 Predict first
After applying controls, the risk that still remains is called:
A. Residual risk is what remains after a risk strategy has been applied.
Question 6
Buying insurance to cover breach costs is an example of:
C. Shifting the financial burden to another party, such as an insurer, is transference.

Frequently Asked Questions

It identifies where a threat can exploit a vulnerability to compromise an asset, and weighs the likelihood of exploitation against the severity of the attack.
Avoidance (stop the activity), transference (shift the burden, e.g., insurance), mitigation (add controls), and accepting residual risk.
Residual risk is the risk that remains after a strategy such as mitigation has been applied; an organization may choose to accept it.
← PreviousPhases of a Cyberattack
Keep studying
All TopicsUnit 2 Study GuidePractice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]