In AP Cybersecurity, risk avoidance is a risk-management strategy that eliminates a risk by stopping the activity that generates it. It's one of four options (avoid, transfer, mitigate, accept) and isn't possible if the activity is critical to the organization's mission.
Risk avoidance is the most direct way to handle a risk: you just stop doing the thing that creates it. No activity, no risk. If a company decides cryptocurrency transactions are too risky, it shuts down crypto services entirely. That's avoidance.
Under EK 2.1.E.2, risk avoidance "stops the activity that is generating the risk." The catch is right there in the same essential knowledge: if that activity is a critical part of the organization's mission or purpose, then avoidance isn't possible. A hospital can't avoid the risk of patient-data breaches by deleting all patient records, because handling that data IS the job. So avoidance only works when the risky activity is optional. It's one of the four risk-management options (avoid, transfer, mitigate, accept) from EK 2.1.E.1.
Risk avoidance lives in Unit 2: Securing Spaces, under Topic 2.1 Cyber Foundations, and it supports learning objective AP Cybersecurity 2.1.E, identify strategies for managing risk. It sits at the tail end of the risk workflow. First you assess a risk (2.1.D) by weighing likelihood and severity, then you choose how to manage it. Avoidance is the strategy you pick when the risk outweighs the value of the activity AND the activity is something you can live without. Knowing the difference between the four strategies is the whole point of this objective, and avoidance is the easiest to confuse with the others.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryThe four risk-management strategies: transfer, mitigate, accept (Unit 2)
Avoidance is one of four siblings from EK 2.1.E.1. The fastest way to nail exam questions is to memorize the verb: avoid means STOP the activity, transfer means PAY someone else (like insurance) to carry the risk, mitigate means ADD controls to shrink the risk, and accept means DO NOTHING because the cost of fixing it is higher than the risk itself.
Risk assessment (Unit 2)
You can't choose avoidance until you've assessed the risk first. EK 2.1.D weighs likelihood and severity. If the projected damage is severe and the activity isn't essential, avoidance becomes the obvious move.
Risk mitigation and defense in depth (Unit 2)
Mitigation is what you reach for when avoidance is off the table. Since a hospital can't avoid handling patient data, it layers security controls instead, which is the defense-in-depth idea from EK 2.1.G. Avoidance removes the risk; mitigation reduces it.
Asset and the CIA triad (Unit 2)
An asset (EK 2.1.D.2) is anything valuable, and risk happens when a threat exploits a vulnerability against that asset. Avoidance protects an asset's confidentiality, integrity, and availability by removing the exposure entirely instead of guarding it.
Expect multiple-choice stems that hand you a scenario and ask which risk-management strategy it shows. The giveaway for avoidance is language like "stop all," "discontinue," or "entirely" cutting off an activity. For example, a financial services company that "decides to stop all cryptocurrency transaction services entirely" is doing avoidance, while a company that buys cyber liability insurance is doing transfer, and one that installs encryption plus multi-factor authentication is doing mitigation. Your job is to match the action to the right strategy. Read carefully, because the wrong answers are usually the other three strategies dressed up in similar scenarios.
Both reduce your exposure to a threat, but they're opposites in approach. Avoidance ELIMINATES the risk by ending the activity, so the risk drops to zero. Mitigation KEEPS the activity but adds security controls (encryption, MFA, firewalls) to lower the likelihood or impact. If the scenario says "stopped doing X," it's avoidance. If it says "installed" or "implemented" controls while still doing X, it's mitigation.
Risk avoidance eliminates a risk by stopping the activity that generates it (EK 2.1.E.2).
Avoidance is one of four risk-management strategies: avoid, transfer, mitigate, and accept.
If the risky activity is critical to the organization's mission, avoidance is not an option, and you mitigate instead.
On the exam, words like "stop," "discontinue," or "entirely" signal avoidance, while "insurance" signals transfer and "install controls" signals mitigation.
You only choose a management strategy after assessing the risk's likelihood and severity (EK 2.1.D).
Risk avoidance is a risk-management strategy that removes a risk by stopping the activity that creates it (EK 2.1.E.2). It's one of four options alongside transfer, mitigation, and acceptance.
No. Per EK 2.1.E.2, if the risky activity is a critical part of the organization's mission, avoidance isn't possible. A hospital can't avoid the risk of patient-data breaches by deleting all patient data, so it has to mitigate instead.
Avoidance stops the activity entirely, dropping the risk to zero. Mitigation keeps the activity but adds security controls like encryption and multi-factor authentication to reduce the likelihood or impact of an attack.
No, that's risk transference. Transfer places the burden of the risk on another entity such as an insurance company (EK 2.1.E.3). Avoidance would mean stopping the risky activity altogether.
Avoid, transfer, mitigate, and accept (EK 2.1.E.1). Avoid stops the activity, transfer shifts the burden to another party, mitigate adds controls to reduce the risk, and accept does nothing because fixing it costs more than the risk.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.