AP Cybersecurity Unit 2 Complete Study Guide
Unit 2: Securing Spaces
CIA Triad, Defense-in-Depth, Physical Security, Risk Assessment & Access Controls
📋 Unit 2 Contents
🎯 Learning Objectives
By the end of this unit, you will be able to:
- Define and apply each component of the CIA Triad to real-world security scenarios
- Explain how defense-in-depth uses multiple security layers to protect systems
- Distinguish between deterrent, preventive, detective, and corrective physical security controls
- Calculate Annual Loss Expectancy (ALE) and compare qualitative vs. quantitative risk assessment
- Differentiate authentication from authorization and explain least-privilege principles
2.1 The CIA Triad
Confidentiality
Only authorized users can access data. Prevents unauthorized disclosure.
Integrity
Data is accurate and unaltered. Prevents unauthorized modification.
Availability
Systems are accessible when needed. Prevents unauthorized disruption.
Confidentiality in Depth
Confidentiality ensures that information is accessible only to those authorized to see it. It is violated whenever someone accesses data they should not have access to—regardless of whether they modify or destroy it.
| Control | How It Protects Confidentiality | Example |
|---|---|---|
| Encryption | Renders data unreadable without the key | AES-256 encrypting a laptop hard drive |
| Access Control Lists (ACLs) | Restricts who can read files or directories | Only HR can view payroll folders |
| Data Classification | Labels sensitivity level to guide handling | Top Secret, Confidential, Public |
| Need-to-Know | Limits access even among authorized users | Agents see only their own cases |
Encryption alone does not guarantee confidentiality if key management is weak. An encrypted file sent with the decryption key in the same email is not effectively confidential—the control fails at the key management layer.
Integrity in Depth
Integrity ensures that data has not been altered in an unauthorized way. This covers both malicious tampering (an attacker modifying financial records) and accidental corruption (a database error flipping a bit).
| Control | How It Protects Integrity | Example |
|---|---|---|
| Cryptographic Hashing | Any change to data produces a completely different hash | SHA-256 file checksums |
| Digital Signatures | Verify both the sender and that content is unmodified | Code signing certificates |
| Version Control | Maintains history of changes and who made them | Git commit logs |
| Write Protection | Prevents modification of critical files | Read-only OS partition |
Availability in Depth
Availability ensures that systems and data are accessible to authorized users when they need them. Availability is violated by denial-of-service attacks, ransomware, and even poor system design that causes downtime.
| Control | How It Protects Availability | Example |
|---|---|---|
| Redundancy | Backup systems take over when primary fails | RAID storage, failover servers |
| DDoS Mitigation | Absorbs or filters flood traffic | Cloudflare WAF rate limiting |
| Backups | Restore data after ransomware or hardware failure | Offsite daily backups |
| Patch Management | Fixes vulnerabilities that attackers exploit for outages | Monthly OS update schedule |
Balancing the CIA Triad
In the real world, the three properties exist in tension. Increasing one often reduces another:
Confidentiality vs. Availability: A hospital encrypts all patient records (confidentiality). During a power outage, the decryption key server goes offline and doctors cannot access critical records (availability failure). Solution: redundant key management servers.
Integrity vs. Availability: A financial system runs an integrity check on every transaction (integrity). Under high load, the checking process causes 30-second delays (availability degraded). Solution: asynchronous integrity verification.
Confidentiality vs. Integrity: Encrypting a log file protects its confidentiality but may prevent real-time integrity monitoring tools from reading it. Solution: encrypt at rest but allow monitored access in transit.
Vantex Corp stores employee Social Security numbers in a database. An attacker gains access and reads 10,000 records but does not modify or delete any data.
Which CIA properties were violated? Only Confidentiality—unauthorized disclosure occurred. Integrity was maintained (no modification) and Availability was maintained (no disruption). This is a critical exam distinction: a read-only breach with no modification violates only confidentiality.
2.2 Defense-in-Depth
Think of defense-in-depth like a medieval castle: a moat (perimeter), walls (network boundary), gates with guards (access control), an inner keep (critical data), and soldiers inside (endpoint protection). An attacker who bypasses the moat still faces the walls, gates, and guards.
The Seven Security Layers
The AP exam tests whether you can identify WHICH layer a control belongs to. Remember: firewalls are network layer, antivirus is endpoint layer, and security awareness training is the human/policy layer. Confusing these is a common error.
Defense-in-Depth vs. Redundancy
An organization installs three firewalls from the same vendor in series. If a new vulnerability is discovered in that firewall software, all three fail simultaneously. Three identical controls is redundancy, not defense-in-depth.
An organization uses a perimeter firewall, network segmentation, endpoint antivirus, file encryption, and mandatory MFA. Each control is independent and defends against different attack vectors. If the firewall is bypassed, the attacker still faces encryption and MFA.
Control Types Within Layers
Within any layer, controls can be classified by their purpose:
| Type | Goal | Example |
|---|---|---|
| Preventive | Stop an attack before it occurs | Firewall blocking port 22, locked server room |
| Detective | Identify an attack in progress or after the fact | IDS alert, SIEM log analysis, camera footage |
| Corrective | Minimize damage and restore normal operations | Incident response plan, system restore from backup |
| Deterrent | Discourage attackers from attempting an attack | "CCTV in use" signs, visible security guards |
An attacker successfully bypasses Vantex's perimeter firewall using a zero-day exploit. However, they are stopped when they attempt to move laterally because internal network segmentation isolates departments. Security analysts detect the intrusion via SIEM alerts and contain it within 20 minutes.
Defense-in-Depth at work: The firewall (perimeter layer, preventive) failed. Network segmentation (network layer, preventive) stopped lateral movement. SIEM alerts (network layer, detective) triggered the response. The incident response plan (policy layer, corrective) contained the damage. Three independent layers functioned even after one failed.
2.3 Physical Security Controls
Physical Control Categories
Physical controls are classified by their function, not their form. The same physical object can serve multiple functions:
| Category | Definition | Examples |
|---|---|---|
| Deterrent | Discourages unauthorized access attempts | Warning signs, visible cameras, security guards at entrance |
| Preventive | Physically blocks unauthorized access | Locked doors, fences, mantraps, badge readers |
| Detective | Identifies and records unauthorized access | Motion sensors, CCTV recording, access logs |
| Corrective | Responds to and limits damage after an incident | Fire suppression systems, emergency lockdown procedures |
A "CCTV Recording" sign with no actual camera is a deterrent only—it may discourage attackers but does not physically prevent access. A working camera that records footage is detective. A locked door activated by badge is preventive. The AP exam frequently tests whether students confuse deterrent (psychological) with preventive (physical barrier).
Mantraps and Tailgating
🚨 Why Tailgating Is Effective
Tailgating works because it exploits social engineering, not technical vulnerabilities. An attacker dressed as a delivery person carrying packages walks behind an employee who badges in. The employee holds the door open as a courtesy—a normal human response. The attacker is now inside without ever authenticating.
Countermeasures: Mantraps, security awareness training, turnstiles, and a culture where employees are encouraged to challenge unrecognized individuals.
Layered Physical Security Design
Layer 1 — Perimeter: Fencing with barbed wire, security lighting, and "Authorized Personnel Only" signage (deterrent + preventive)
Layer 2 — Building Entry: Manned security desk, badge reader required, visitor log (preventive + detective)
Layer 3 — Server Room Entry: Mantrap with biometric scanner (preventive — eliminates tailgating)
Layer 4 — Inside Server Room: CCTV cameras recording to offsite storage (detective), motion sensors after hours (detective)
Layer 5 — Individual Racks: Physical locks on server racks, tamper-evident seals (preventive + detective)
Vantex posts large signs at data center entrances reading "CCTV Recording 24/7 — All Access Logged." No cameras are actually installed. A person in a delivery uniform tailgates through the main door and accesses the server room, stealing a hard drive.
Analysis: The signs functioned as a deterrent only (psychological, no physical barrier). They failed to prevent the intrusion because no mantrap or badge reader was present to stop tailgating. The absence of actual cameras eliminated the detective control. The incident reveals that deterrents without supporting preventive and detective controls provide very limited real protection.
2.4 Risk Assessment & Management
Core Definitions
| Term | Definition | Example |
|---|---|---|
| Threat | An event or actor that has the potential to cause harm | Ransomware gang, disgruntled employee, hurricane |
| Vulnerability | A weakness in a system that a threat can exploit | Unpatched software, weak password policy, unlocked door |
| Risk | The likelihood and impact of a threat exploiting a vulnerability | Probability ransomware exploits the unpatched system |
| Control | A safeguard that reduces threat, vulnerability, or impact | Patch management, MFA, offsite backups |
Reduce ANY factor to reduce total risk
Qualitative vs. Quantitative Risk Assessment
Uses descriptive categories (High / Medium / Low) rather than numeric values. Based on expert judgment and scenario analysis.
Pros: Faster, no financial data required, good for early-stage analysis
Cons: Subjective, hard to justify budget decisions
Example: "The risk of a phishing attack is HIGH likelihood and HIGH impact."
Uses numeric values and financial calculations to express risk in dollar terms. Requires historical data and estimates.
Pros: Objective, supports ROI analysis for controls, defensible to executives
Cons: Time-intensive, requires reliable data, false precision risk
Example: "The ALE for a phishing breach is $240,000/year."
Quantitative Risk Formulas
The AP Cybersecurity exam expects you to calculate and interpret quantitative risk values:
| Formula | Term | Definition |
|---|---|---|
SLE = AV × EF |
Single Loss Expectancy | Dollar loss from a single incident. Asset Value × Exposure Factor (% of asset lost) |
ALE = SLE × ARO |
Annual Loss Expectancy | Expected yearly loss. SLE × Annual Rate of Occurrence |
ARO |
Annual Rate of Occurrence | How many times per year the threat is expected to occur |
Vantex has a web server worth $400,000. Historical data shows ransomware incidents occur twice per year and each incident destroys 25% of the asset (EF = 0.25).
SLE = $400,000 × 0.25 = $100,000
ALE = $100,000 × 2 = $200,000/year
Decision: If a backup solution costs $60,000/year and reduces ALE to $20,000/year (savings of $180,000), the solution is cost-justified. If the control costs $250,000/year, it exceeds the risk it mitigates and should be reconsidered.
Risk Response Strategies
| Strategy | Definition | When to Use | Example |
|---|---|---|---|
| Mitigate (Reduce) | Implement controls to lower likelihood or impact | Risk exceeds tolerance, cost-effective controls exist | Install MFA to reduce credential theft risk |
| Transfer | Shift financial impact to a third party | Risk is too costly to mitigate, insurance market exists | Purchase cyber liability insurance |
| Accept | Acknowledge the risk and take no additional action | Risk is within tolerance or cost of control exceeds benefit | Accept risk of minor website defacement for low-traffic site |
| Avoid | Eliminate the activity that creates the risk | Risk is too high and activity is not essential | Discontinue storing SSNs that are no longer needed |
After applying controls, some risk always remains. This is called residual risk. No control eliminates risk to zero. The goal of risk management is to reduce risk to an acceptable level—not to zero. This distinction appears frequently in AP exam questions asking what the purpose of risk management is.
2.5 Access Controls & Authentication
Identification, Authentication, and Authorization
| Step | Question Answered | Example |
|---|---|---|
| Identification | "Who are you?" — Claiming an identity | Entering a username |
| Authentication | "Prove it." — Verifying the claimed identity | Entering a password, scanning a fingerprint |
| Authorization | "What are you allowed to do?" — Granting permissions | HR user can read payroll files but not modify system logs |
| Accounting | "What did you do?" — Logging activity | Audit log of file accesses |
Authentication Factors
Authentication is classified by the type of evidence used to prove identity:
| Factor | Category | Examples | Weakness |
|---|---|---|---|
| Something You Know | Knowledge | Password, PIN, security question | Can be guessed, phished, or stolen |
| Something You Have | Possession | Smart card, hardware token, phone (SMS code) | Can be lost, stolen, or SIM-swapped |
| Something You Are | Inherence | Fingerprint, iris scan, voice recognition, facial recognition | Cannot be changed if compromised; false rejection rates |
| Somewhere You Are | Location | IP geolocation, GPS location | Can be spoofed with VPN or proxy |
Least Privilege Principle
All employees at Vantex are given local administrator rights on their workstations "for convenience." When an employee's machine is infected with malware, the malware can install rootkits, disable antivirus, and spread across the network because it has admin rights.
Employees have standard user accounts. Only IT staff have admin rights, and only to specific systems they manage. Malware infecting a standard account cannot install software or modify system files, dramatically limiting the attack's scope.
Access Control Models
| Model | Who Assigns Permissions | Use Case |
|---|---|---|
| DAC (Discretionary) | Resource owner decides who can access | Personal file shares (typical OS) |
| MAC (Mandatory) | System enforces classification labels (Top Secret, Secret) | Military and government systems |
| RBAC (Role-Based) | Permissions assigned to roles, users assigned to roles | Enterprise systems (HR role, Finance role) |
| ABAC (Attribute-Based) | Permissions based on attributes (department, time, location) | Complex cloud environments |
Zero Trust is an emerging security model: "Never trust, always verify." It assumes breaches will occur and removes implicit trust from any network zone. Every request—even from inside the network—must be authenticated and authorized. Zero Trust is the opposite of the old "castle-and-moat" model where anything inside the perimeter was trusted. This concept is increasingly tested on the AP Cybersecurity exam.
A Vantex accounting clerk, Maria, needs access to the payroll database to enter timesheets. IT gives her full database administrator privileges "because it was easier to set up." Maria's credentials are compromised in a phishing attack. The attacker uses her DA privileges to exfiltrate the entire customer database, drop tables, and encrypt backups.
Violated Principles: (1) Least Privilege — Maria needed read/write on the timesheet table only, not full DA access. (2) Separation of Duties — no second approval was required for bulk data exports. (3) The attack would have been limited to timesheet data if least privilege was applied, containing the blast radius to a fraction of the actual damage.
★ Unit 2 Practice Questions
Predict the answer before reading the options. Cover the choices, form your answer, then compare.
A security analyst states: "Our new policy requires all remote employees to authenticate with a username, a password, AND a four-digit PIN before VPN access is granted. This satisfies multi-factor authentication because three separate credentials are required."
Which statement BEST identifies the flaw in the analyst's reasoning?
- (A) Three credentials are insufficient for MFA; at least four are required for high-security VPN access
- (B) MFA requires credentials from at least two different factor categories; a username, password, and PIN are all "something you know"
- (C) Usernames do not count as authentication factors and should not be included in MFA calculations
- (D) PINs are inherently weaker than passwords and cannot satisfy any MFA requirement
Correct Answer: B
MFA requires factors from different categories (something you know, have, or are). Username, password, and PIN are all "something you know." Using three knowledge factors is not MFA—it is still single-factor authentication with extra steps. True MFA would require adding a hardware token (something you have) or biometric (something you are). Choice A invents a rule that does not exist. Choice C is incorrect; usernames serve identification, not authentication. Choice D is incorrect; PIN strength is a separate issue from MFA validity.
A hospital's electronic health record (EHR) system goes offline for 6 hours due to a ransomware attack. Patient records cannot be accessed, but the attacker did not read or modify any records before encrypting them.
Which of the following CIA properties were violated?
I. Confidentiality II. Integrity III. Availability
- (A) I only
- (B) III only
- (C) I and III only
- (D) I, II, and III
Correct Answer: B
The scenario states the attacker did NOT read records (confidentiality maintained) and did NOT modify records (integrity maintained). Encrypting the files and making them inaccessible for 6 hours directly violates Availability. Note: while ransomware encryption changes the file format, the data itself is not modified in the integrity sense—the original data can be fully restored from the decryption key. This is a nuanced but testable distinction. Only III (Availability) was violated.
A network administrator configures three identical next-generation firewalls from the same vendor in series, claiming: "We now have defense-in-depth because we have three layers of protection instead of one."
Which statement BEST explains why this does NOT constitute defense-in-depth?
- (A) Defense-in-depth requires a minimum of five distinct layers; three firewalls fall below this threshold
- (B) Firewalls operate at the network layer only and cannot form a complete defense-in-depth strategy regardless of quantity
- (C) Three identical controls from the same vendor share the same vulnerabilities; a single exploit targeting that vendor compromises all three simultaneously
- (D) Defense-in-depth requires both hardware and software controls; three firewalls represent only hardware controls
Correct Answer: C
Defense-in-depth requires diverse, independent controls that defend against different attack vectors. Three identical firewalls from the same vendor share the same firmware vulnerabilities, configuration errors, and zero-day exposures. If a new exploit is discovered for that product, all three fail together—providing no additional protection beyond one. True defense-in-depth would combine a firewall, network segmentation, endpoint protection, data encryption, and user training—each from different categories and vendors where possible. Choice A invents a rule. Choice B is incorrect; firewalls are a valid layer in defense-in-depth. Choice D is incorrect; defense-in-depth has no such hardware/software requirement.
Vantex Corp has a database server valued at $500,000. Security analysts estimate that a SQL injection breach occurs on average once every two years (ARO = 0.5), and each incident compromises 40% of the database value (EF = 0.40).
A vendor offers a web application firewall (WAF) that reduces the ARO to 0.1 and costs $35,000 per year. Consider the following statements:
I. The SLE for a single breach is $200,000.
II. The ALE before the WAF is installed is $100,000 per year.
III. Installing the WAF is cost-justified because it reduces ALE by more than its annual cost.
- (A) I only
- (B) I and II only
- (C) II and III only
- (D) I, II, and III
Correct Answer: D
Statement I: SLE = AV × EF = $500,000 × 0.40 = $200,000 ✔
Statement II: ALE = SLE × ARO = $200,000 × 0.5 = $100,000/year ✔
Statement III: With WAF: ALE = $200,000 × 0.1 = $20,000/year. ALE reduction = $100,000 − $20,000 = $80,000/year saved. WAF cost = $35,000/year. Net benefit = $80,000 − $35,000 = $45,000/year. The WAF is cost-justified. ✔
All three statements are correct.
A security manager writes the following in the annual report: "The mantrap installed at our server room entrance is classified as a deterrent control because it makes potential attackers think twice before attempting unauthorized entry."
Which statement BEST identifies the error in the manager's classification?
- (A) Mantraps are detective controls because they record who enters the secured area via cameras and logs
- (B) Mantraps are preventive controls because they physically stop unauthorized individuals from entering even if they attempt to tailgate
- (C) Mantraps are corrective controls because they isolate individuals who fail authentication between the two doors
- (D) Mantraps cannot be classified as a single control type and must always be listed under multiple categories simultaneously
Correct Answer: B
A mantrap is a preventive control. It physically stops unauthorized entry—the second door will not open unless the first is sealed and authentication succeeds. A deterrent control discourages attempts psychologically (like a warning sign) but does not physically stop them. The mantrap does not merely discourage; it physically prevents tailgating and unauthorized access. While a mantrap may also have cameras (detective) and a holding mechanism (corrective), its primary function and correct classification is preventive. The manager has confused deterrent (psychological) with preventive (physical barrier).
Vantex is evaluating risk response strategies for three identified risks. Consider the following response decisions:
I. Vantex purchases cyber liability insurance to cover financial losses from data breaches. This is a risk transfer strategy.
II. Vantex decides not to collect customers' Social Security numbers because the compliance burden exceeds the business need. This is a risk mitigation strategy.
III. Vantex acknowledges that minor website defacement on a low-traffic test server could occur but chooses not to allocate resources to prevent it. This is a risk acceptance strategy.
- (A) I only
- (B) I and III only
- (C) I and II only
- (D) I, II, and III
Correct Answer: B
Statement I: Purchasing cyber insurance transfers the financial impact of a breach to the insurer. This is risk transfer. ✔ Correct.
Statement II: Choosing not to collect SSNs eliminates the activity that creates the risk. This is risk avoidance, not mitigation. Mitigation would mean still collecting SSNs but adding controls to protect them. ❌ Incorrect classification.
Statement III: Knowingly choosing not to act on a risk and accepting it as tolerable is risk acceptance. ✔ Correct.
Only I and III are correctly classified.
A financial services firm is designing access controls for a new payroll system. Describe THREE specific access control measures the firm should implement, identify the principle each measure enforces, and explain how each measure reduces risk.
Sample Response:
Measure 1 — Role-Based Access Control (RBAC): Assign permissions based on job roles (e.g., Payroll Clerk role, Payroll Manager role, HR role). Enforces Least Privilege. Clerks can enter timesheet data but cannot approve payroll runs. Managers can approve but cannot modify pay rates without a second approver. This limits the data accessible to a compromised account to only what that role requires, reducing the blast radius of an insider threat or credential theft.
Measure 2 — Multi-Factor Authentication: Require employees to authenticate with a password (something you know) and a hardware token (something you have) before accessing the payroll system. Enforces Strong Authentication. Even if an employee's password is phished or stolen, the attacker cannot log in without physical possession of the hardware token. This is especially critical for payroll systems where credential theft is a primary attack vector.
Measure 3 — Separation of Duties: Require that no single employee can both enter and approve a payroll transaction. A second employee must review and authorize all payroll runs above a threshold. Enforces Separation of Duties. This prevents any individual—even a privileged one—from committing fraud or making unauthorized payments unilaterally. It also means a compromised account alone cannot initiate and complete a fraudulent payment without a second factor of human review.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]