In IB Computer Science, security is not only about technology — it is also about planning and decision-making. One of the most important planning tools is risk assessment. Students are expected to understand what risk assessment is, why it is used, and how it helps organisations reduce harm.
IB examiners reward answers that explain process and reasoning, not just definitions.
What Is Risk Assessment?
Risk assessment is the process of:
- Identifying potential risks
- Analysing how serious those risks are
- Deciding how to reduce or manage them
In IB terms, a risk exists when:
- A threat can exploit a vulnerability
- Harm could occur as a result
Risk assessment helps organisations prioritise security efforts.
Why Risk Assessment Is Important
No system can be completely risk-free.
Risk assessment allows organisations to:
- Focus on the most serious risks
- Use resources efficiently
- Reduce the likelihood and impact of harm
Without risk assessment:
- Security decisions may be random
- Important threats may be ignored
- Time and money may be wasted
IB students should recognise that risk assessment supports informed decision-making.
Step 1: Identifying Risks
The first step is to identify risks by examining:
- Assets (what needs protection)
- Threats (what could cause harm)
- Vulnerabilities (where weaknesses exist)
Examples of assets include:
- Personal data
- Financial records
- System availability
Identifying risks means recognising what could go wrong.
Step 2: Analysing Likelihood and Impact
Once risks are identified, they are analysed based on:
- Likelihood – how likely the risk is to occur
- Impact – how serious the consequences would be
For example:
- A rare event with severe impact
- A frequent event with low impact
IB students should explain that:
- High-likelihood, high-impact risks are prioritised
This analysis allows risks to be ranked.
Step 3: Evaluating and Prioritising Risks
After analysis, risks are:
- Compared
- Ranked
- Prioritised
Organisations decide:
- Which risks must be addressed immediately
- Which risks can be accepted
Not all risks can be eliminated — some are accepted if mitigation costs are too high.
Step 4: Risk Mitigation
Risk mitigation involves:
- Reducing likelihood
- Reducing impact
- Or both
Mitigation strategies include:
- Improving access control
- Applying software updates
- User training
- Implementing backups
IB examiners expect students to link mitigation directly to identified risks.
Accepting, Avoiding, or Transferring Risk
After assessment, organisations may:
- Accept the risk
- Avoid the risk by changing systems
- Transfer the risk (e.g. insurance or outsourcing)
Risk assessment supports these strategic decisions.
Risk Assessment in Real-World Systems
Risk assessment is used in:
- Schools
- Banks
- Healthcare systems
- Online platforms
Each system has different assets and priorities, so risk assessments vary.
Common Student Mistakes
Students often:
- Describe risks without analysing them
- Ignore likelihood or impact
- Forget mitigation
- Treat all risks as equal
Clear step-by-step explanations earn higher marks.
How This Appears in IB Exams
IB questions may ask students to:
- Define risk assessment
- Identify risks in a scenario
- Analyse likelihood and impact
- Suggest appropriate mitigation
Structured answers score highest.
Final Thoughts
Risk assessment is the systematic process of identifying, analysing, and managing risks. By evaluating likelihood and impact, organisations can prioritise threats and apply effective security measures.
Understanding risk assessment allows IB Computer Science students to explain how real-world systems manage security responsibly and efficiently — exactly what examiners expect.
