In AP Cybersecurity, severity is the extent of the financial, operational, and reputational damage that would result from a successful attack against a specific vulnerability. It's one of the two factors, along with likelihood, that a risk assessment evaluates.
Severity is how bad it would be if an attack actually worked. Not how likely the attack is, but how much it would hurt. EK 2.1.D.3 spells out that a risk assessment weighs two things: the likelihood of a vulnerability being exploited, and the severity of the projected damage if it is.
Think of severity as the damage estimate. It covers financial losses, operational disruption (systems going down, work grinding to a halt), and reputational harm (customers losing trust). A breach of a hospital's unencrypted patient records is high-severity because it hits all three at once: lawsuits and fines, disrupted care, and a wrecked reputation. Severity is what you're measuring when you ask, "If this goes wrong, how big is the crater?"
Severity lives in Unit 2: Securing Spaces, specifically topic 2.1 Cyber Foundations, and it anchors learning objective AP Cybersecurity 2.1.D, describing the risk assessment process. You can't reason about risk without it. EK 2.1.D.1 defines risk as a threat exploiting a vulnerability to compromise an asset, and EK 2.1.D.3 makes severity one of the two dials you turn to size up that risk.
Severity also feeds directly into the next objective, AP Cybersecurity 2.1.E, managing risk. The four options (avoid, transfer, mitigate, accept) only make sense once you know how severe the damage would be. High severity pushes you toward mitigation or avoidance; low severity might be something you just accept.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryLikelihood (Unit 2)
Severity and likelihood are the two halves of a risk assessment. Likelihood asks how probable an attack is; severity asks how much it would hurt. A low-likelihood, high-severity threat (like a catastrophic but rare breach) needs a very different response than a high-likelihood, low-severity one.
Asset (Unit 2)
Severity is tied to the value of the asset at risk. EK 2.1.D.2 lists assets like data, intellectual property, and reputation. The more valuable the asset, the higher the severity if it's compromised, which is why proprietary drug formulas or patient records score so high.
Risk Mitigation and the Four Risk Strategies (Unit 2)
Once you've rated severity, you pick a management strategy from AP Cybersecurity 2.1.E. High severity usually pushes you to mitigate (add security controls) or avoid the activity entirely, while low severity might be safe to accept.
CIA Triad (Unit 2)
Severity often comes down to which part of the CIA triad gets hit. A breach of confidentiality (stolen data), a loss of integrity (manipulated records), or an availability outage (downtime) each carries different damage, and the severity rating reflects which principle the attack threatens.
Severity shows up most in risk assessment MCQs. Expect a stem describing a breach (a financial company losing customer payment data, a pharmaceutical company's drug formulas exposed) and a question asking which factor to assess severity, or asking you to name the term for "the extent of financial, operational, and reputational damage that would result from a successful attack." That's severity, full stop. The trap is confusing it with likelihood, so read carefully: if the question is about how much damage versus how probable an attack is, that's the dividing line. You should be able to take a scenario, identify the asset, and reason about whether the damage (severity) is high or low.
Likelihood is the probability that a vulnerability gets exploited; severity is how much damage results if it does. A vulnerability can be very likely to be exploited but cause minor damage (low severity), or very unlikely but devastating if it happens (high severity). A risk assessment needs both numbers, not just one.
Severity is the extent of financial, operational, and reputational damage that would result from a successful attack.
Severity and likelihood are the two factors a risk assessment evaluates (EK 2.1.D.3), and you need both to judge overall risk.
The more valuable the asset at stake, the higher the severity if that asset is compromised.
Severity drives which risk management strategy you choose: high severity points toward mitigation or avoidance, low severity may be acceptable.
Don't confuse severity (how bad the damage) with likelihood (how probable the attack).
Severity is the extent of financial, operational, and reputational damage that would result from a successful attack against a specific vulnerability. It's one of the two factors in a risk assessment, the other being likelihood (EK 2.1.D.3).
No. Likelihood is how probable an attack is; severity is how much damage it would cause if it succeeds. A risk assessment measures both, because a threat can be likely but harmless or rare but catastrophic.
Severity tracks the value of the asset at risk. EK 2.1.D.2 lists assets like data, intellectual property, and reputation, so a breach of high-value patient records or proprietary drug formulas carries high severity.
Severity helps you choose among the four risk strategies in AP Cybersecurity 2.1.E. High-severity risks usually get mitigated with security controls or avoided altogether, while low-severity risks might simply be accepted.
Look for scenarios where a breach hits finances, operations, and reputation at once, like a financial company exposing customer payment data or a hospital leaking unencrypted health records. Those all rate as high severity.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.