In AP Cybersecurity, likelihood is the probability that a specific vulnerability will be exploited by an adversary. It's one of the two factors in risk assessment, weighed alongside the severity of the projected damage.
Likelihood is how probable it is that an adversary actually exploits a given vulnerability. It's not the same as how bad the damage would be. That's severity. Risk assessment needs both. You ask "how likely is this to happen?" and "how much would it hurt if it did?"
Likelihood isn't a guess pulled out of thin air. It depends on real factors: the value of the target (adversaries chase juicy assets), how exposed or accessible the vulnerability is, and how skilled or motivated the adversaries targeting you are. A high-value asset sitting wide open is high likelihood. An obscure system protected by layers of controls is low likelihood. Per EK 2.1.D.1, risk only exists when a threat can exploit a vulnerability to compromise an asset, so likelihood is basically your estimate of whether that chain of events fires.
Likelihood lives in Unit 2: Securing Spaces, specifically Topic 2.1 Cyber Foundations, and it powers learning objective AP Cybersecurity 2.1.D, describe the risk assessment process. EK 2.1.D.3 spells it out: risk assessment considers two factors, the likelihood of an attack against a specific vulnerability and the severity of the projected damage. You can't reason about risk with just one of them. Likelihood also feeds straight into AP Cybersecurity 2.1.E (managing risk), because risk mitigation works by reducing the likelihood or the impact of an attack. So understanding likelihood is what lets you connect "here's a vulnerability" to "here's what we should do about it."
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view gallerySeverity (Unit 2)
Likelihood and severity are the two halves of risk assessment. Likelihood is how probable the attack is; severity is how much it would hurt. A breach can be unlikely but devastating, or likely but harmless. You need both numbers before you can rank a risk.
Risk Mitigation (Unit 2)
Mitigation (EK 2.1.E.4) is the management strategy that directly lowers likelihood. Installing security controls makes a vulnerability harder to exploit, so the probability of a successful attack drops. That's the lever likelihood gives you.
Asset value and OSINT in reconnaissance (Unit 2)
Likelihood goes up when adversaries see a high-value asset. They find those targets during the reconnaissance phase (EK 2.1.C.2) using open source intelligence, freely available info. The more an attacker can learn about you, the more likely they'll find a vulnerability worth hitting.
Defense in depth (Unit 2)
A layered defense (AP Cybersecurity 2.1.G) drives likelihood down by stacking controls. Even if one layer is bypassed, another may stop the attack, so the odds of a fully successful exploit shrink with every layer you add.
Likelihood shows up in the risk-assessment cluster of Unit 2. Multiple-choice stems describe a scenario (a company facing breaches, a healthcare org weighing patient-data risk) and ask you to identify the risk or the management strategy. Released-style practice questions test the four management options, avoid, transfer, mitigate, accept, by giving you a company decision and asking which one it is. To use likelihood correctly, separate it from severity, and remember that mitigation is the strategy that lowers likelihood by adding controls. No released FRQ has used the word "likelihood" verbatim, but a free-response prompt asking you to assess or manage a risk expects you to reason about both how probable and how damaging an attack would be.
Likelihood is how probable an attack is. Severity is how bad the damage would be if it happened. They're separate factors that you multiply or weigh together to size up a risk. A low-likelihood, high-severity risk (rare but catastrophic) is managed very differently from a high-likelihood, low-severity one. Don't collapse them into a single "how risky" feeling.
Likelihood is the probability that a specific vulnerability gets exploited, and it's one of the two factors in risk assessment.
The other factor is severity, the projected damage, and risk assessment needs both to be meaningful.
Likelihood rises with the value of the target, how exposed the vulnerability is, and how skilled or motivated the adversaries are.
Risk mitigation lowers likelihood by adding security controls, which is why defense in depth reduces your odds of being breached.
Risk only exists when a threat can exploit a vulnerability to compromise an asset, so likelihood estimates whether that chain actually fires.
Likelihood is the probability that a particular vulnerability will be exploited by an adversary. It's one of the two factors in risk assessment under AP Cybersecurity learning objective 2.1.D, paired with the severity of the projected damage.
No. Likelihood is how probable an attack is, while severity is how much damage it would cause. They're two separate factors, and you weigh both to assess a risk. A breach can be very unlikely but extremely severe, or very likely but minor.
You reduce likelihood through risk mitigation, which means implementing security controls that make a vulnerability harder to exploit (EK 2.1.E.4). Adding layers of defense, like encryption, multi-factor authentication, and intrusion detection, lowers the odds an attacker succeeds.
The value of the target matters most, since adversaries chase high-value assets. Likelihood also depends on how exposed or accessible the vulnerability is and on the skill and motivation of the adversaries targeting you (EK 2.1.D.4).
Once you assess likelihood and severity, you pick one of four management strategies: avoid, transfer, mitigate, or accept (EK 2.1.E.1). Exam questions hand you a scenario and ask which strategy a company chose, so you have to connect the likelihood of an attack to the right response.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.