In AP Cybersecurity, risk occurs when a threat can exploit a vulnerability to compromise an asset, and it's assessed by the likelihood of an attack and the severity of the damage it would cause.
Risk is the chance that something bad actually happens to something you care about. The CED defines it precisely (EK 2.1.D.1): risk occurs when a threat can exploit a vulnerability to compromise an asset. All three pieces have to line up. A threat with no vulnerability to exploit, or a vulnerability that protects nothing valuable, doesn't add up to real risk.
To measure risk, you look at two things (EK 2.1.D.3): the likelihood that a vulnerability gets exploited, and the severity of the damage if it does. A flaw that's easy to exploit and would wipe out your customer database is high risk. A flaw that's nearly impossible to hit and would only cause minor annoyance is low risk. Once you've assessed a risk, you don't just stare at it. You pick one of four management strategies (EK 2.1.E.1): avoid, transfer, mitigate, or accept.
Risk is the backbone of Topic 2.1 (Cyber Foundations) in Unit 2: Securing Spaces. It directly anchors two learning objectives: AP Cybersecurity 2.1.D (describe the risk assessment process) and AP Cybersecurity 2.1.E (identify strategies for managing risk). Almost everything else in this unit feeds into risk. The adversaries (2.1.B), the attack phases (2.1.C), and the social engineering tactics (2.1.A) are the threats. The security controls (2.1.F) and defense in depth (2.1.G) are how you mitigate. Understand risk and you understand why the whole unit is organized the way it is: identify threats, find vulnerabilities, protect assets, decide what to do.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryAsset, Likelihood, and Threat (Unit 2)
Risk isn't a standalone idea. It's literally the product of three other terms colliding: a threat exploits a vulnerability to hit an asset, and you weigh it by likelihood and severity. If you can't name the asset at risk, you haven't actually identified a risk yet.
Security Controls and the CIA Triad (Unit 2)
Risk mitigation means installing controls that protect confidentiality, integrity, or availability. Encryption defends confidentiality, integrity checks catch tampering, and backups protect availability. The CIA triad tells you which kind of risk a given control is fighting.
Defense in Depth / Layered Defense (Unit 2)
Mitigation is one risk strategy, and defense in depth is mitigation done right. Stacking multiple controls means that when one layer fails, another still catches the attack, which lowers both the likelihood and the severity halves of your risk equation.
Phases of a Cyberattack (Unit 2)
The attack phases (reconnaissance, initial access, persistence, and so on) are the threat side of the risk equation in motion. Knowing how adversaries operate helps you judge how likely a vulnerability is to actually be exploited.
Expect multiple-choice questions that give you a scenario and ask which of the four risk management strategies a company chose. The pattern is consistent: stopping an activity entirely (like halting all cryptocurrency transactions) is avoidance, buying insurance is transference, installing controls like encryption and multi-factor authentication is mitigation, and choosing to live with a small risk is acceptance. You should be able to read a short business situation and label the strategy instantly. You may also see questions asking what makes up risk (threat + vulnerability + asset) or how to rank risks by likelihood and severity. No released FRQ has used the word verbatim, but risk-assessment reasoning supports any free-response question that asks you to recommend or justify a security decision.
A threat is the danger (a hacker, malware, an insider). A vulnerability is the weakness the threat could exploit. Risk is what you get when those two combine against a valuable asset. Threats and vulnerabilities can exist on their own, but risk only exists when a threat actually has a vulnerability it can use to hurt something you value.
Risk occurs when a threat can exploit a vulnerability to compromise an asset, so all three pieces must be present.
Risk assessment weighs two factors: the likelihood of an attack and the severity of the damage it would cause.
There are exactly four ways to manage a risk: avoid, transfer, mitigate, and accept.
Avoidance stops the risky activity, transference shifts the burden (often via insurance), mitigation adds security controls, and acceptance means living with the risk.
Risk avoidance isn't always an option, because you can't stop an activity that's critical to the organization's mission.
Defense in depth is a form of risk mitigation that uses layered controls so one failure doesn't expose the whole system.
Risk is when a threat can exploit a vulnerability to compromise an asset. You measure it by how likely the attack is and how severe the damage would be if it happened.
Avoid (stop the activity causing the risk), transfer (shift the burden to another entity like an insurer), mitigate (add security controls to reduce likelihood or impact), and accept (decide to live with the risk).
Transference. Buying insurance moves the financial burden of the risk onto another entity, the insurance company, instead of eliminating the activity. Avoidance would mean stopping the risky activity entirely.
A threat is the danger by itself, like a hacker or malware. Risk is what you get when that threat actually has a vulnerability to exploit against something valuable. No vulnerability or no asset means no real risk, even if the threat exists.
Defense in depth is a way to mitigate. Mitigation means adding controls to lower likelihood or impact, and defense in depth does this by stacking multiple layers so that if one control is bypassed, another still protects the asset.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.