--- title: "AP Cybersecurity Mitigate Risk Skill Guide" description: "Learn AP Cybersecurity Mitigate Risk: identify security controls, layer defenses, evaluate strategies, and log mitigations with and without AI." canonical: "https://fiveable.me/ap-cybersecurity/cybersecurity-skills/mitigate-risk/study-guide/1e2jm2Ks2uN8D3sepFx5" type: "study-guide" subject: "AP Cybersecurity" unit: "**Cybersecurity Skills" lastUpdated: "2026-06-18" --- # AP Cybersecurity Mitigate Risk Skill Guide ## Summary Learn AP Cybersecurity Mitigate Risk: identify security controls, layer defenses, evaluate strategies, and log mitigations with and without AI. ## Guide ## Overview [AP Cybersecurity](/ap-cybersecurity "fv-autolink") Mitigate Risk is Skill Category 2, where you implement protective and deterrent security controls to reduce [risk](/ap-cybersecurity/key-terms/risk "fv-autolink") to an organization's assets. You identify controls, layer them to cover vulnerabilities, evaluate how well they work, and implement and log your mitigations, sometimes with AI support and sometimes without it. In plain terms, once you have found a vulnerability, this skill is about choosing and applying the right defenses and explaining why they help. It shows up across every unit because every domain (physical spaces, networks, devices, applications, and data) needs protection. Skill Category 2 is also one of the two skill categories assessed on the free-response question, so it carries real weight. ## What Mitigate Risk Means Mitigating risk means taking action to lower the [likelihood](/ap-cybersecurity/key-terms/likelihood "fv-autolink") that a vulnerability is exploited or to reduce the impact if it is. You are not just naming a [threat](/ap-cybersecurity/key-terms/threat "fv-autolink"). You are recommending and applying a control that addresses it. A few quick definitions to anchor your thinking: - **Security control**: a safeguard or countermeasure that reduces risk. Examples include [firewalls](/ap-cybersecurity/key-terms/firewall "fv-autolink"), [access controls](/ap-cybersecurity/key-terms/access-control "fv-autolink"), encryption, locks, and anti-malware software. - **Protective control**: a control that actively blocks or limits an attack, such as a firewall rule that drops [malicious traffic](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97 "fv-autolink"). - **Deterrent control**: a control that discourages an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") from attempting an attack, such as visible [cameras](/ap-cybersecurity/unit-2/detecting-physical-attacks/study-guide/Kb72LoynxAj68H4P71eN "fv-autolink") or warning signage. - **[Defense in depth](/ap-cybersecurity/key-terms/defense-in-depth "fv-autolink")**: layering multiple controls so that if one fails, others still protect the [asset](/ap-cybersecurity/key-terms/asset "fv-autolink"). ## What This Skill Requires To do well here, you need to connect a specific vulnerability to a specific control and explain the link clearly. You should be able to: - Match a control to the risk it addresses and explain the mechanism. - Combine controls into layers instead of relying on a single safeguard. - Judge whether a strategy actually reduces risk and what tradeoffs it creates. - Apply a mitigation in practice and keep a record of what you did. - Use AI as a support tool while still explaining and verifying its output yourself. ## Subskills You Need ### 2.A Identify security controls and explain how they mitigate risks Name an appropriate control and explain how it reduces likelihood or impact. The explanation matters more than the label. - Weak [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") risk gets stronger [authentication](/ap-cybersecurity/key-terms/authentication "fv-autolink"), such as multifactor authentication. - Unencrypted stored data gets encryption to protect [confidentiality](/ap-cybersecurity/key-terms/confidentiality "fv-autolink"). - Open network access gets a firewall rule or [access control list](/ap-cybersecurity/key-terms/access-control-list "fv-autolink") to filter traffic. Tested on both MCQ and FRQ. ### 2.B Determine layered security controls that address vulnerabilities Real defenses rarely rely on one control. Show that you can stack controls so coverage overlaps. - A server room might use a locked door, a camera, and an access log together. - A network might combine segmentation, a firewall, and managerial policies. If one layer fails, the others still slow or stop the adversary. This is defense in depth in action. Tested on both MCQ and FRQ. ### 2.C Evaluate the impact of protective risk-management strategies, with and without AI Judging a strategy means weighing how much risk it removes against its costs and side effects. Ask yourself: - Does this control meaningfully lower likelihood or impact? - What does it cost in money, performance, or user convenience? - Does it create new problems, like blocking legitimate users? AI can help you compare options or summarize tradeoffs, but you still explain the reasoning and check the conclusion. Tested on both MCQ and FRQ. ### 2.D Implement and log mitigations, with and without AI Implementing means actually applying the control, and [logging](/ap-cybersecurity/key-terms/logging "fv-autolink") means recording what you changed and why. - Configure a firewall rule, then document the rule, its purpose, and the date. - Adjust file permissions, then note the old and new settings. Good logs let others verify your work and trace changes later. AI may assist with drafting configs or documentation, but accuracy and final verification are on you. Tested on both MCQ and FRQ. ## How It Shows Up on the AP Exam The exam is 2 hours and 10 minutes with 60 multiple-choice questions (70%) and 1 free-response question (30%). **Multiple choice**: Skill Category 2 Mitigate Risk is weighted at roughly 25 to 40% of the multiple-choice section. Expect questions that ask you to pick the best control for a vulnerability, choose a layered set of controls, or judge the impact of a strategy. **Free response**: The single FRQ is a Device Security Analysis built around one digital device. Sources may include [security policies](/ap-cybersecurity/unit-3/protecting-networks-segmentation/study-guide/aN5LZLgHojJwIT4AvjWS "fv-autolink"), firewall configurations, file-system permissions, and [log files](/ap-cybersecurity/unit-3/detecting-network-attacks/study-guide/5kYH3dgJpqFp57SUnjEX "fv-autolink"). Skill Categories 2 and 3 are both assessed, so you may need to describe how a configuration or permission change would affect the device and users, and evaluate how controls like firewalls influence traffic and behavior. Cite evidence from the sources and explain your reasoning. Practical tip: when an FRQ asks about a change, always say what the change does and who it affects. ## Examples Across the Course These show how Mitigate Risk applies in different parts of the course. - **Physical spaces ([Securing Spaces](/ap-cybersecurity/unit-2 "fv-autolink"))**: A facility with an unlocked entry adds badge access, a camera, and an entry log. The badge is protective, the visible camera is deterrent, and the log supports later review. This is layered mitigation for a physical vulnerability. - **Networks (Securing Networks)**: A flat network where one compromised host can reach everything gets segmentation plus a firewall. Segmentation limits how far an attacker can move, and firewall rules filter traffic between segments. You would then log each rule and its purpose. - **Devices (Securing Devices)**: A device with weak login security adds multifactor authentication and anti-malware software, paired with regular updates. Each control addresses a different attack path, and you document the configuration. - **Applications and data (Securing Applications and Data)**: Sensitive stored records get access controls to limit who can read or write them, plus encryption so stolen data stays unreadable. [Asymmetric cryptography](/ap-cybersecurity/unit-5/asymmetric-cryptography/study-guide/VwtcdE1OgUXoQu0fiDG2 "fv-autolink") can protect data in transit. You evaluate whether the protection is worth any performance cost. - **Introduction to Security**: After spotting a phishing risk, you mitigate with user training, multifactor authentication, and link filtering, then evaluate which combination lowers risk most. ## How to Practice Mitigate Risk - Take any vulnerability from your notes and write the control plus a one-sentence explanation of how it reduces risk. - For each scenario, list at least two layered controls and name which is protective and which is deterrent. - Practice tradeoff statements: "This control reduces X risk but costs Y." - Work with sample firewall configs and file permissions so you can describe the effect of a change quickly. - Write short change logs that include what changed, why, and when. This builds the habit 2.D rewards. - When you use AI to draft a config or compare strategies, verify the output and rewrite the explanation in your own words. ## Common Mistakes - Naming a control without explaining how it mitigates the risk. The explanation is the point. - Relying on one control when the question rewards layering. - Picking a control that does not match the actual vulnerability. - Forgetting tradeoffs when asked to evaluate a strategy. - On the FRQ, describing a change without saying how it affects users and device behavior. - Skipping evidence from the provided sources when the FRQ asks you to cite it. - Trusting AI output without checking it. ## Quick Review - Mitigate Risk (Skill Category 2) is about implementing protective and deterrent controls. - 2.A: identify a control and explain the mechanism. - 2.B: layer controls for defense in depth. - 2.C: evaluate impact and tradeoffs, with or without AI. - 2.D: implement and log mitigations, with or without AI. - Weighted 25 to 40% on multiple choice and assessed on the FRQ alongside Skill Category 3. - On the FRQ, cite source evidence and explain how changes affect the device and users. - Always connect a control to the specific vulnerability it addresses.