---
title: "AP Cybersecurity Risk Assessment Guide: Analyze Risk Workflow"
description: "Practice Skill Category 1 with a step-by-step risk assessment workflow covering assets, vulnerabilities, threats, likelihood, impact, mitigation, and documentation."
canonical: "https://fiveable.me/ap-cybersecurity/cybersecurity-scenario-practice/cybersecurity-risk-assessment-guide/study-guide/VK45CeQeJrcZRU2RKZXZ"
type: "study-guide"
subject: "AP Cybersecurity"
unit: "Cybersecurity Scenario Practice"
lastUpdated: "2026-06-18"
---

# AP Cybersecurity Risk Assessment Guide: Analyze Risk Workflow

## Summary

Practice Skill Category 1 with a step-by-step risk assessment workflow covering assets, vulnerabilities, threats, likelihood, impact, mitigation, and documentation.

## Guide

Risk assessment is the engine that drives Skill Category 1, Analyze Risk, and it shows up in every unit of [AP Cybersecurity](/ap-cybersecurity "fv-autolink"). This guide gives you a repeatable workflow for moving from a raw scenario to a documented [risk](/ap-cybersecurity/key-terms/risk "fv-autolink") statement, so you can handle multiple-choice items and scenario prompts no matter which domain they target.

The core idea from [Unit 2](/ap-cybersecurity/unit-2 "fv-autolink") stays constant across the whole course: risk occurs when a [threat](/ap-cybersecurity/key-terms/threat "fv-autolink") can exploit a vulnerability to compromise an asset. Once you internalize that sentence, you can apply the same reasoning to a physical space, a network, a device, or stored data.

## Where Risk Assessment Shows Up

Skill Category 1 carries 25 to 40 percent of the multiple-choice section, which makes it one of the heaviest skill weightings on the exam. Every content unit reuses these skills, so you practice Analyze Risk in physical spaces (Unit 2), networks ([Unit 3](/ap-cybersecurity/unit-3 "fv-autolink")), devices ([Unit 4](/ap-cybersecurity/unit-4 "fv-autolink")), and applications and data (Unit 5).

The four skills in this category build a clear sequence:

| Skill | What it asks you to do |
|:--|:--|
| 1.A | Identify vulnerabilities, threats, and attack methods, and explain how they generate risk |
| 1.B | Determine ways adversaries exploit vulnerabilities to compromise an asset |
| 1.C | Evaluate the likelihood and impact of risks |
| 1.D | Document the likelihood and impact of risks |

Skills 1.A, 1.C, and 1.D are explicitly framed as work you do with and without the support of AI. That phrasing matters: you should be able to reason through risk yourself, and also recognize when an AI-powered tool is flagging or scoring risks for you to review.

## The Core Vocabulary, Used Together

These terms have individual key-term pages, so here the goal is showing how they connect in one chain rather than defining each in isolation.

An [asset](/ap-cybersecurity/key-terms/asset) is anything valuable: financial resources, intellectual property, data, [digital infrastructure](/ap-cybersecurity/unit-1/leveraging-ai-in-cyber-defense/study-guide/uvMQfHoviL6tgFrEstZ8 "fv-autolink"), physical property, or reputation. A [vulnerability](/ap-cybersecurity/key-terms/vulnerability) is a weakness that can be taken advantage of. A [threat](/ap-cybersecurity/key-terms/threat) is something that could exploit that weakness, and the attack method is the specific technique an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") uses to do it.

Put them in motion: a threat actor uses an attack method to exploit a vulnerability and compromise an asset. That compromise has a [likelihood](/ap-cybersecurity/key-terms/likelihood) (how probable the exploit is) and an impact (the [severity](/ap-cybersecurity/key-terms/severity "fv-autolink") of projected damage). Together, [likelihood](/ap-cybersecurity/key-terms/likelihood "fv-autolink") and impact define the level of [risk](/ap-cybersecurity/key-terms/risk).

After you choose a control, the leftover risk that remains is [residual risk](/ap-cybersecurity/key-terms/residual-risk). No control reduces risk to zero, so part of analysis is being honest about what is still exposed.

## A Repeatable Risk Assessment Workflow

Use this seven-step flow on any scenario, then adapt the vocabulary to the unit's domain.

1. **Name the asset.** What is valuable here, and why? In Unit 5, proprietary R&D files on an air-gapped computer are the asset. In Unit 3, patient records on an internal file server are the asset.
2. **Find the vulnerability.** Look for the weakness in the configuration, policy, or physical layout. [Weak access control](/ap-cybersecurity/unit-5/application-and-data-vulnerabilities-and-attacks/study-guide/T25I7qaDw4w4XT1rkAYr "fv-autolink") settings, an unpatched device, or an unlocked entry point all qualify.
3. **Identify the threat and attack method.** Decide who would attack and how. Match the attack method to the vulnerability, such as an [online password attack](/ap-cybersecurity/key-terms/online-password-attack "fv-autolink") against [weak authentication](/ap-cybersecurity/key-terms/weak-authentication "fv-autolink") or SQL injection against unvalidated input.
4. **Explain how risk is generated (Skill 1.A and 1.B).** State the chain explicitly: this threat could use this method against this vulnerability to compromise this asset.
5. **Evaluate likelihood and impact (Skill 1.C).** Rate how probable the exploit is and how severe the damage would be. A vulnerability that is easy to exploit and damages a high-value asset is high risk.
6. **Recommend mitigation.** Choose a security control that reduces likelihood, impact, or both. Tie the control directly to the vulnerability you found.
7. **Document [residual risk](/ap-cybersecurity/key-terms/residual-risk "fv-autolink") (Skill 1.D).** Record the likelihood and impact, the chosen control, and what risk remains after the control is applied.

## Worked Mini-Example

Scenario: a drop-in office computer for daily visitors has no account-lockout policy and accepts weak passwords.

- **Asset:** the shared computer and any accounts or data reachable from it.
- **Vulnerability:** weak authentication, no lockout after failed attempts.
- **Threat and attack method:** an adversary runs an online password attack, trying common passwords and patterns repeatedly.
- **How risk is generated:** because failed attempts are unlimited, an attacker can keep guessing until a weak [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") works, compromising the account.
- **Likelihood:** high, since automated guessing is cheap and the vulnerability is open.
- **Impact:** moderate to high, depending on what the account can access.
- **Mitigation:** configure [password complexity](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7 "fv-autolink") requirements and an account-lockout policy.
- **Residual risk:** an attacker could still target a user through [social engineering](/ap-cybersecurity/key-terms/social-engineering "fv-autolink") to obtain a valid password, so some exposure remains.

Notice how the documentation step captures both the rating and the leftover risk. That last sentence is what separates a complete answer from one that stops at "add a lockout policy."

## Documenting Risk Clearly

Documentation is its own skill (1.D), not an afterthought. A clean risk record states the asset, the vulnerability, the threat and attack method, a likelihood rating, an impact rating, the recommended control, and the residual risk.

A simple format keeps your reasoning visible and easy to score:

| Field | Example entry |
|:--|:--|
| Asset | Internal file server storing patient records |
| Vulnerability | Server reachable from the public network |
| Threat / method | Remote adversary using network-based attack to exfiltrate data |
| Likelihood | High |
| Impact | High (regulated health data) |
| Mitigation | Place a firewall so only internal employees reach the file server |
| Residual risk | Insider with legitimate access could still misuse records |

When the perceived value of the asset is higher, your impact rating should reflect it. Regulated data such as PHI or financial records generally raises impact because of legal and reputational consequences.

## Using AI in Risk Analysis

The CED frames AI as a tool you use alongside your own analysis for skills 1.A, 1.C, and 1.D. An AI-powered tool might flag input-validation vulnerabilities in application code or help score and prioritize a list of risks.

Your job is to review what the tool produces, not to outsource judgment to it. You should be able to verify whether a flagged vulnerability is real, whether the likelihood and impact ratings make sense, and whether the documentation is complete.

## Common Mistakes to Avoid

Confusing the vulnerability with the threat. The vulnerability is the weakness; the threat is the actor or event that could exploit it. Weak authentication is a vulnerability; an adversary running a password attack is the threat.

Skipping the asset. If you do not name what is valuable, you cannot judge impact. Always anchor the analysis to a specific asset.

Treating likelihood and impact as one rating. They are separate factors. A low-likelihood, high-impact risk and a high-likelihood, low-impact risk call for different decisions.

Forgetting residual risk. Recommending a control without acknowledging what risk remains is incomplete. Controls reduce risk; they rarely eliminate it.

Recommending a control that does not match the vulnerability. A [firewall](/ap-cybersecurity/key-terms/firewall "fv-autolink") does not fix weak passwords, and an account-lockout policy does not stop SQL injection. Tie each mitigation to the specific weakness you identified.

Importing essay-style structure. This exam uses task verbs like identify, explain, describe, determine, and write. Answer the verb directly with evidence from the sources rather than building a thesis-driven essay.

## FAQs

### What is the difference between a vulnerability, a threat, and risk in AP Cybersecurity?

A vulnerability is a weakness that can be exploited, such as weak authentication or unvalidated user input. A threat is the actor or event that could exploit that weakness, like an adversary running a password attack. Risk occurs when a threat can exploit a vulnerability to compromise an asset, and its level depends on the likelihood and impact of that compromise.

### How do you evaluate likelihood and impact when assessing risk?

Likelihood measures how probable it is that an adversary exploits a specific vulnerability, while impact measures the severity of projected damage to the asset. Rate them separately. Easy-to-exploit weaknesses against high-value assets, such as regulated health or financial data, produce the highest risk and should be prioritized for mitigation.

### What is residual risk and why does it matter on the exam?

Residual risk is the risk that remains after you apply a security control. No control reduces risk to zero, so a complete analysis names what exposure is still present, such as an insider misusing legitimate access even after a firewall is added. Documenting residual risk is part of Skill 1.D and separates a full answer from an incomplete one.

### How is AI used in the Analyze Risk skill category?

Skills 1.A, 1.C, and 1.D are framed as work you do with and without the support of AI. An AI-powered tool might flag vulnerabilities in code or help score and prioritize risks, but you are expected to review and verify its output, confirming the vulnerability is real and the likelihood, impact, and documentation are accurate.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-scenario-practice/cybersecurity-risk-assessment-guide/study-guide/VK45CeQeJrcZRU2RKZXZ#what-is-the-difference-between-a-vulnerability-a-threat-and-risk-in-ap-cybersecurity","name":"What is the difference between a vulnerability, a threat, and risk in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"A vulnerability is a weakness that can be exploited, such as weak authentication or unvalidated user input. A threat is the actor or event that could exploit that weakness, like an adversary running a password attack. Risk occurs when a threat can exploit a vulnerability to compromise an asset, and its level depends on the likelihood and impact of that compromise."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-scenario-practice/cybersecurity-risk-assessment-guide/study-guide/VK45CeQeJrcZRU2RKZXZ#how-do-you-evaluate-likelihood-and-impact-when-assessing-risk","name":"How do you evaluate likelihood and impact when assessing risk?","acceptedAnswer":{"@type":"Answer","text":"Likelihood measures how probable it is that an adversary exploits a specific vulnerability, while impact measures the severity of projected damage to the asset. Rate them separately. Easy-to-exploit weaknesses against high-value assets, such as regulated health or financial data, produce the highest risk and should be prioritized for mitigation."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-scenario-practice/cybersecurity-risk-assessment-guide/study-guide/VK45CeQeJrcZRU2RKZXZ#what-is-residual-risk-and-why-does-it-matter-on-the-exam","name":"What is residual risk and why does it matter on the exam?","acceptedAnswer":{"@type":"Answer","text":"Residual risk is the risk that remains after you apply a security control. No control reduces risk to zero, so a complete analysis names what exposure is still present, such as an insider misusing legitimate access even after a firewall is added. Documenting residual risk is part of Skill 1.D and separates a full answer from an incomplete one."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/cybersecurity-scenario-practice/cybersecurity-risk-assessment-guide/study-guide/VK45CeQeJrcZRU2RKZXZ#how-is-ai-used-in-the-analyze-risk-skill-category","name":"How is AI used in the Analyze Risk skill category?","acceptedAnswer":{"@type":"Answer","text":"Skills 1.A, 1.C, and 1.D are framed as work you do with and without the support of AI. An AI-powered tool might flag vulnerabilities in code or help score and prioritize risks, but you are expected to review and verify its output, confirming the vulnerability is real and the likelihood, impact, and documentation are accurate."}}]}
```
