In AP Cybersecurity, residual risk is the amount of risk that still exists after an organization applies its risk management strategies (avoid, transfer, mitigate, or accept) and security controls. No control fully eliminates risk, so something always remains.
Residual risk is what's left over. You start with the full risk a threat poses to an asset, you apply controls to knock it down, and whatever risk survives that effort is the residual risk.
The risk management process in [AP Cybersecurity 2.1.E] gives you four options once you've identified and assessed a risk: avoid it, transfer it, mitigate it, or accept it. None of these get you to zero. Even risk avoidance leaves edge cases, transference still leaves you exposed while a claim is processed, and mitigation only reduces likelihood or impact without erasing it. After you've done all of that, the organization has to consciously decide whether the leftover residual risk is small enough to live with. If it is, that's risk acceptance applied to the remainder. Think of it as the gap between perfect security (which doesn't exist) and the security you actually have after spending your time and money.
This sits in Unit 2: Securing Spaces, inside topic 2.1 Cyber Foundations. It ties directly to [AP Cybersecurity 2.1.D] (the risk assessment process) and [AP Cybersecurity 2.1.E] (strategies for managing risk), because residual risk is literally the output of that whole process. You assess risk, you manage it, and what remains is residual. The exam expects you to understand that security is about reducing risk to an acceptable level, not eliminating it. That mindset is the foundation for why defense in depth ([AP Cybersecurity 2.1.G]) exists at all: you stack layers precisely because each single control leaves residual risk behind.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryRisk Mitigation and the Four Management Strategies (Unit 2)
Mitigation reduces likelihood or impact with security controls, but it never hits zero. Residual risk is the slice that survives mitigation, and an organization then chooses to accept it or apply more controls.
Defense in Depth / Layered Defense (Unit 2)
Each layer leaves some residual risk, so you stack multiple controls. When one control is bypassed, the next one shrinks the residual risk further. Defense in depth is basically a strategy for chipping away at what's left over.
Risk Assessment: Likelihood and Severity (Unit 2)
Risk assessment scores a risk by likelihood and projected damage. After you apply controls, you re-score it, and the new likelihood-times-severity number is your residual risk. It tells you whether to keep spending or accept it.
The CIA Triad (Unit 2)
Controls protect confidentiality, integrity, and availability, but no control perfectly guarantees all three. Residual risk is the leftover exposure to data theft, manipulation, or downtime after your controls are in place.
Multiple-choice questions in this unit lean hard on the four risk management strategies (avoid, transfer, mitigate, accept) and ask you to match a scenario to the right one. A company stops crypto services entirely is avoidance, buying cyber liability insurance is transference, and installing encryption plus MFA plus an intrusion detection system is mitigation. Residual risk is the concept that connects them: it's what's still on the table after a strategy is applied, and it's why acceptance exists as the fourth option. No released FRQ has used the exact phrase, but you should be ready to explain, in your own words, that controls reduce risk to an acceptable level rather than removing it entirely.
These are linked but not the same. Residual risk is the leftover risk after you've applied controls. Risk acceptance is the decision to live with a risk without spending more to reduce it. You accept residual risk, but acceptance is the action and residual risk is the thing being acted on.
Residual risk is the risk that remains after an organization applies its security controls and risk management strategies.
No control eliminates risk completely, so there is always some residual risk left over.
The four risk management strategies are avoid, transfer, mitigate, and accept, and each leaves behind some residual risk.
Defense in depth works by stacking layers so that each one reduces the residual risk left by the previous one.
After re-assessing likelihood and severity post-controls, an organization decides whether the residual risk is acceptable.
Residual risk is the amount of risk that still exists after an organization has applied its controls and chosen a risk management strategy. Because no defense is perfect, some risk always remains, and the organization decides whether to accept it or reduce it further.
No. Even with avoidance, transference, and mitigation combined, you can't fully eliminate risk. That's exactly why acceptance is one of the four management options and why defense in depth uses multiple layers instead of relying on one control.
Residual risk is the leftover risk after controls are applied. Risk acceptance is the decision to do nothing more about a risk. You apply acceptance to residual risk when it's small enough to live with, so one is the thing and the other is the choice.
Each security control leaves some residual risk behind. Defense in depth stacks multiple controls so that when one is bypassed, the next layer shrinks the remaining residual risk, which is why a layered defense beats a single barrier.
Yes, as part of Unit 2's risk management content. You'll most likely see it through scenario questions about the four strategies (avoid, transfer, mitigate, accept), where understanding that controls reduce but never eliminate risk is the key idea.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.