(A) Incorrect — while locks can be picked, the primary risk here is the unretrieved key granting ongoing authorized-level access.

(C) Incorrect — the remaining staff still have their copies; the issue is unauthorized access, not lost access.

(D) Incorrect — physical keys are a well-known weakness precisely because they cannot be audited or remotely revoked.

(A) Incorrect — pretexting involves a fabricated scenario; tailgating exploits courtesy without any story.

(C) Incorrect — shoulder surfing involves observing credential entry, not following through doors.

(D) Incorrect — dumpster diving involves searching trash for information, not physical entry.

(A) Incorrect — physical threats (fire, flood, theft, unauthorized access) are significant risks to server infrastructure.

(B) Incorrect — unauthorized access (no camera, no log) is also a major vulnerability, not just environmental threats.

(D) Incorrect — the surveillance gap is one of several vulnerabilities, not the only one.

(A) Incorrect — acceptable use policies govern digital behavior, not physical workspace security.

(C) Incorrect — password complexity does not prevent employees from writing passwords on sticky notes.

(D) Incorrect — data retention governs storage duration, not physical workspace hygiene.

(A) Incomplete — ID verification alone does not prevent unescorted server room access.

(B) Incomplete — delivery schedule verification (III) would have flagged the unexpected “delivery” immediately.

(C) Incomplete — ID verification (I) is also a necessary control.

(A) Incorrect — this scenario directly proves the opposite; physical and cyber security are deeply interconnected.

(C) Incorrect — network monitoring tools can detect unauthorized devices through MAC address alerts, traffic anomalies, and port security features.

(D) Incorrect — firewall rules are irrelevant when the attacker has physical access to the switch behind the firewall.