--- title: "AP Cybersecurity Analyze Risk Skill Guide" description: "Learn the AP Cybersecurity Analyze Risk skill: identify vulnerabilities, threats, and attacks, then evaluate and document likelihood and impact." canonical: "https://fiveable.me/ap-cybersecurity/cybersecurity-skills/analyze-risk/study-guide/hhQqReHkUhLAdPKaSI7z" type: "study-guide" subject: "AP Cybersecurity" unit: "**Cybersecurity Skills" lastUpdated: "2026-06-18" --- # AP Cybersecurity Analyze Risk Skill Guide ## Summary Learn the AP Cybersecurity Analyze Risk skill: identify vulnerabilities, threats, and attacks, then evaluate and document likelihood and impact. ## Guide ## Overview [AP Cybersecurity](/ap-cybersecurity "fv-autolink") Analyze Risk is Skill Category 1, where you evaluate [risk](/ap-cybersecurity/key-terms/risk "fv-autolink") to organizational assets. You identify vulnerabilities, threats, and attack methods, figure out how adversaries exploit them, then evaluate and document the likelihood and impact of those risks. Some of this work is done with the support of AI and some without it. This skill shows up across every unit because risk analysis comes before you can choose controls or [detect attacks](/ap-cybersecurity/cybersecurity-skills/detect-attacks/study-guide/k7DmYzrBX6GIIzRYjsuG "fv-autolink"). It carries a large share of the multiple-choice section and supports your reasoning on the free-response question. ## What Analyze Risk Means Risk is the chance that a vulnerability gets exploited and the damage that follows. To analyze risk, you combine two pieces: - **Likelihood:** how probable is it that a threat [exploits](/ap-cybersecurity/unit-4/device-vulnerabilities-and-attacks/study-guide/HACz1L7MBGLXO5AANWlK "fv-autolink") a vulnerability - **Impact:** how bad the outcome would be if it happens A simple way to think about it: ``` Risk = Likelihood of exploitation x Impact on the asset ``` This is a conceptual relationship for reasoning, not an official scored formula. The point is that a high-impact event with very low likelihood and a low-impact event with high likelihood can land in very different places. Three terms you will use constantly: - **Vulnerability:** a weakness in a system, space, network, device, or application - **Threat:** something or someone that could exploit a vulnerability - **Attack method:** the specific technique an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") uses to exploit the weakness ## What This Skill Requires You need to do four things in order: 1. Spot the weakness and the threat that targets it. 2. Explain how an adversary turns that weakness into a compromise. 3. Judge how likely the attack is and how much damage it would cause. 4. Write it down clearly so others can act on it. You also need to do this both with AI assistance and on your own. AI can help speed up identification or summarize a large source set, but you are responsible for checking its output and explaining your reasoning. ## Subskills You Need ### 1.A Identify vulnerabilities, threats, and attack methods and explain how they generate risk Name the weakness, name the threat, and name the technique. Then connect them to risk. A vulnerability alone is not risk. Risk appears when a threat can realistically use an attack method against that vulnerability to harm an [asset](/ap-cybersecurity/key-terms/asset "fv-autolink"). - Example logic: "Default admin passwords (vulnerability) let an attacker (threat) log in remotely (attack method), which creates risk to the device and its stored data." ### 1.B Determine ways adversaries exploit vulnerabilities to compromise an asset Think like an attacker. Ask what an adversary would actually do step by step to reach the asset. This is adversarial thinking, and the course builds it starting with physical spaces and extends it to networks, devices, and data. - Trace the path: entry point, exploitation, access gained, asset compromised. ### 1.C Evaluate the likelihood and impact of risks Rate how probable the exploitation is and how serious the consequences would be. The perceived value of an asset changes your impact rating. More valuable or [sensitive data](/ap-cybersecurity/key-terms/sensitive-data "fv-autolink") raises impact even when likelihood is unchanged. - Use available evidence: configurations, logs, policies, and the asset's value. - You may use AI to help estimate, but verify the reasoning yourself. ### 1.D Document the likelihood and impact of risks Record your findings so a team can prioritize. Clear documentation usually includes the asset, the vulnerability, the threat or attack method, a likelihood rating, an impact rating, and supporting evidence. - A short risk table is a practical format (see below). ## How It Shows Up on the AP Exam **Multiple-choice section:** All four Analyze Risk subskills are assessed. Skill Category 1 carries roughly 25 to 40 percent of the multiple-choice weighting. Expect questions that ask you to match a weakness to its risk, identify how an attacker would exploit a setup, or rank likelihood and impact. **Free-response question:** The single FRQ is a Device Security Analysis with simulated sources such as [security policies](/ap-cybersecurity/unit-3/protecting-networks-segmentation/study-guide/aN5LZLgHojJwIT4AvjWS "fv-autolink"), firewall configurations, file-system permissions, and [log files](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink"). The exam info states the FRQ assesses Skill Categories 2 and 3. Even so, your risk analysis skills support the reasoning you need there, because identifying security issues and citing evidence depends on understanding vulnerabilities and how they get exploited. Practical tip: when a prompt gives you sources, find the weakness first, then explain the attack path, then judge likelihood and impact using the evidence. ## Examples Across the Course These examples come from different units to show how the same skill applies in many domains. - **[Introduction to Security](/ap-cybersecurity/unit-1 "fv-autolink") ([social engineering](/ap-cybersecurity/key-terms/social-engineering "fv-autolink")):** A phishing email is the attack method, an untrained user is the vulnerability, and the attacker is the threat. Likelihood rises if there is no email filtering or training. Impact depends on what the clicked link or downloaded file can reach. - **[Securing Spaces](/ap-cybersecurity/unit-2 "fv-autolink") (physical):** An unlocked server room is a physical vulnerability. An adversary with [physical access](/ap-cybersecurity/unit-2/physical-vulnerabilities-and-attacks/study-guide/ZcvQYEyowkyIYrjESpUp "fv-autolink") can often bypass technical controls, so impact is high. You evaluate likelihood based on who can enter the space. - **[Securing Networks](/ap-cybersecurity/unit-3 "fv-autolink"):** A flat network with no segmentation lets an attacker move laterally after one entry point. The vulnerability is the lack of segmentation, the attack method is lateral movement, and impact is broad because many systems are reachable. - **[Securing Devices](/ap-cybersecurity/unit-4 "fv-autolink"):** Weak authentication on an IoT device, such as a default [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink"), lets an attacker impersonate a legitimate user. Likelihood is high when devices ship with known defaults and updates are skipped. - **[Securing Applications and Data](/ap-cybersecurity/unit-5 "fv-autolink"):** Sensitive data without proper [access controls](/ap-cybersecurity/key-terms/access-control "fv-autolink") raises impact because the data is valuable. The course notes that perceived value of data changes the risk assessment, so the same vulnerability can be higher risk when the data is more sensitive. ## How to Practice Analyze Risk - Build a quick risk table for any scenario you read. | Asset | Vulnerability | Threat / Attack Method | Likelihood | Impact | |-------|---------------|------------------------|------------|--------| | Customer database | No access controls | Insider reads records | Medium | High | | Office laptop | Default password | Remote login by attacker | High | High | - For each row, write one sentence explaining why you chose that likelihood and impact. - Practice the attacker's view by writing the step-by-step path from entry to compromise. - Try one scenario with AI help and one without, then compare. Check whether the AI missed evidence or overstated likelihood. - Always tie your rating back to evidence in the source, such as a log entry or a policy line. ## Common Mistakes - Listing a vulnerability without explaining the risk. State the threat and attack method too. - Treating likelihood and impact as the same thing. Rate them separately. - Ignoring asset value when judging impact. More sensitive data means higher impact. - Accepting AI output without checking it against the evidence. - Documenting vaguely. Name the asset, the weakness, the rating, and the supporting evidence. - Skipping the attack path. Graders and questions reward showing how the compromise actually happens. ## Quick Review - Analyze Risk means evaluating risk to organizational assets through four steps. - 1.A: identify vulnerabilities, threats, and attack methods, and explain the risk. - 1.B: determine how adversaries exploit weaknesses to compromise an asset. - 1.C: evaluate likelihood and impact, factoring in asset value. - 1.D: document likelihood and impact clearly, with evidence. - Risk combines likelihood and impact, not just one. - Skill Category 1 is heavily weighted on the multiple-choice section and supports your FRQ reasoning. - You do this work both with and without AI, and you stay responsible for verifying the result.