In AP Cybersecurity, risk mitigation is one of four risk-management strategies. It means implementing security controls to reduce the likelihood or impact of a risk, rather than avoiding, transferring, or simply accepting it.
Risk mitigation is what most people picture when they think "cybersecurity": you keep doing the risky activity, but you add protections to make an attack less likely or less damaging. Encryption, multi-factor authentication, firewalls, intrusion detection systems, these are all mitigation in action. You're not eliminating the risk, you're shrinking it.
The AP CED lists four ways to manage a risk once you've identified and assessed it (EK 2.1.E.1): avoid, transfer, mitigate, and accept. Mitigation (EK 2.1.E.4) is the one where you deploy security controls to lower the likelihood that a vulnerability gets exploited or to limit the severity if it does. Remember the two factors from the risk assessment process: likelihood and impact. Mitigation targets one or both of them directly.
This term lives in Unit 2: Securing Spaces, under topic 2.1 Cyber Foundations, and it ties directly to learning objective AP Cybersecurity 2.1.E (identify strategies for managing risk). It sits at the hinge point between two ideas the exam loves: the risk assessment process (2.1.D) that measures likelihood and impact, and the security controls (2.1.F) and defense-in-depth strategy (2.1.G) you actually deploy. Mitigation is the answer to "so what do we do about this risk?" Knowing it lets you connect a threat all the way through to a concrete defensive choice.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view gallerySecurity Controls (Unit 2)
Mitigation is the strategy, security controls are the tools that carry it out. Every firewall, encryption scheme, or access policy you add is a control doing mitigation work by lowering likelihood or impact.
Defense in Depth / Layered Defense (Unit 2)
Defense in depth is mitigation taken seriously. Instead of one control, you stack several so that if an adversary slips past one layer, another still limits the damage. It's mitigation built for resilience.
Risk Assessment: Likelihood and Impact (Unit 2)
You can't mitigate intelligently without first assessing risk. The two factors you measure, likelihood and impact, are the exact two things mitigation aims to reduce, so the assessment tells you where controls are worth the cost.
Phases of a Cyberattack (Unit 2)
Mitigation maps onto attack phases. Controls like endpoint detection and response can catch lateral movement or evasion, meaning you're reducing impact even after an adversary gets initial access.
Expect scenario-based multiple-choice questions that describe an organization's situation and ask which of the four risk-management strategies it chose. The trick is telling mitigation apart from the other three. If a company "installs encryption software, implements multi-factor authentication, and deploys intrusion detection," that's mitigation, because it keeps operating but adds controls. If it "stops all cryptocurrency transaction services entirely," that's avoidance. If it "purchases cyber liability insurance," that's transference. Read for the action: adding controls while continuing the activity is your mitigation tell. No released FRQ has used the term verbatim, but knowing all four strategies cold is exactly the kind of foundational distinction the exam rewards.
Avoidance stops the risky activity completely (no more crypto transactions, period). Mitigation keeps the activity going but adds protections to make it safer. The giveaway: avoidance removes the activity, mitigation defends it. If the activity is critical to the mission, avoidance isn't even an option, so mitigation becomes the realistic choice.
Risk mitigation is one of four risk-management strategies: avoid, transfer, mitigate, and accept (EK 2.1.E.1).
Mitigation means implementing security controls to reduce the likelihood or impact of a risk while continuing the activity.
Encryption, multi-factor authentication, firewalls, and intrusion detection are all examples of mitigation.
Mitigation targets the same two factors you measure during risk assessment: likelihood and impact.
A defense-in-depth strategy is mitigation done with multiple stacked controls so one failure doesn't expose everything.
It's one of the four ways to manage a risk: you implement security controls to reduce the likelihood or impact of an attack, rather than stopping the activity or passing the risk to someone else. It's defined in EK 2.1.E.4 under learning objective 2.1.E.
No. Buying insurance is risk transference (EK 2.1.E.3), because you're shifting the financial burden to another entity. Mitigation means adding your own security controls, like encryption or MFA, not handing the risk to an insurer.
Avoidance stops the risky activity altogether (like shutting down crypto transaction services), while mitigation keeps the activity running but adds protections to make it safer. Avoidance removes the activity; mitigation defends it.
No. Mitigation reduces likelihood or impact, but it doesn't make the risk disappear. There's almost always residual risk left over, which is why organizations stack controls (defense in depth) and sometimes combine strategies.
Read for the action. Adding controls while continuing the activity is mitigation. Stopping the activity is avoidance. Passing the risk to an insurer or third party is transference. Doing nothing because the cost of fixing it outweighs the risk is acceptance.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.