Quantitative risk assessment is a method of evaluating cyber risk using measurable, numeric values, like estimated dollar losses and numeric likelihood scores, to calculate how serious a vulnerability is to an organization's assets.
Risk happens when a threat can exploit a vulnerability to compromise an asset (EK 2.1.D.1). To decide which risks deserve attention first, you weigh two things: how likely an attack is and how severe the damage would be (EK 2.1.D.3). Quantitative risk assessment does this with hard numbers.
Instead of saying a risk is "high" or "low," a quantitative approach attaches actual figures. Think estimated annual financial loss in dollars, or a likelihood scored 6 out of 10. You then combine those numbers to rank risks and justify spending money on security controls. The big advantage: numbers make risks comparable and easy to defend to leadership. The catch: you need solid data to produce trustworthy numbers, and a lot of cyber threats are hard to price precisely.
This lives in Unit 2: Securing Spaces, under topic 2.1 Cyber Foundations, and it's the engine behind the risk assessment process described in learning objective AP Cybersecurity 2.1.D. Once you've assessed a risk, you choose how to manage it (avoid, transfer, mitigate, or accept under AP Cybersecurity 2.1.E), and those choices only make sense if you've measured the risk first. Quantitative assessment is one of the two main ways to do that measuring, so it threads directly into how organizations protect their assets and decide where to invest in defense in depth.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryRisk assessment process (Unit 2)
Quantitative assessment isn't a separate topic, it's one way of doing the risk assessment described in AP Cybersecurity 2.1.D. You're still weighing likelihood against severity, just expressing both as numbers instead of word labels.
Strategies for managing risk (Unit 2)
Putting a dollar figure on a risk tells you whether to avoid, transfer, mitigate, or accept it (AP Cybersecurity 2.1.E). If insurance costs less than the projected annual loss, transference suddenly looks smart, and that comparison only works with numbers.
Asset (Unit 2)
You can't quantify a risk without first valuing the asset behind it (EK 2.1.D.2). A $50,000 database loss starts with knowing the database is worth $50,000 to the organization.
Expect multiple-choice questions that hand you a scenario and ask you to name the assessment method. The tell for quantitative is the presence of real numbers: a team calculates "$50,000 annually" in potential loss and assigns a "likelihood score of 6 out of 10," so the answer is quantitative. The contrast question uses word labels instead, like a SQL injection vulnerability with a "high likelihood" of exploitation and "severe operational damage," which points to qualitative. Your job is to spot whether the risk is described with measurable values (quantitative) or descriptive tiers (qualitative), then pick correctly.
Both measure the same two things, likelihood and severity, but in different languages. Quantitative uses numbers ($50,000 loss, 6/10 likelihood). Qualitative uses descriptive labels (high, medium, low; minor, severe). If the scenario gives you figures, it's quantitative; if it gives you words like 'high' or 'severe,' it's qualitative.
Quantitative risk assessment measures cyber risk using numeric values like dollar losses and numeric likelihood scores.
It evaluates the same two factors as any risk assessment: the likelihood of an attack and the severity of the damage (EK 2.1.D.3).
The dead giveaway on the exam is hard numbers in the scenario, such as '$50,000 annually' or 'likelihood score of 6 out of 10.'
Qualitative assessment does the same job but with words like 'high' and 'severe' instead of numbers.
Quantifying a risk feeds directly into the four management choices: avoid, transfer, mitigate, or accept (AP Cybersecurity 2.1.E).
It's a method of evaluating risk using measurable, numeric values, like estimated annual financial loss and numeric likelihood scores, to rank how serious a vulnerability is to an organization's assets. It supports the risk assessment process in AP Cybersecurity 2.1.D.
Quantitative uses numbers ($50,000 in losses, 6/10 likelihood), while qualitative uses descriptive labels like 'high likelihood' or 'severe damage.' Same two factors, just numbers versus words.
Yes. If the scenario gives you a calculated financial figure or a numeric score, it's quantitative. Word-based tiers like 'high' or 'minor' signal qualitative instead.
The likelihood that a vulnerability gets exploited and the severity of the projected damage (EK 2.1.D.3). Quantitative assessment just expresses both of those as numbers.
Because the number tells you what to do with it. Comparing a projected $50,000 annual loss against the cost of insurance or a security control helps you decide whether to avoid, transfer, mitigate, or accept the risk (AP Cybersecurity 2.1.E).
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.