AP Cybersecurity Unit 2 Complete Study Guide

Unit 2: Securing Spaces

CIA Triad, Defense-in-Depth, Physical Security, Risk Assessment & Access Controls

🎯 Learning Objectives

By the end of this unit, you will be able to:

  • Define and apply each component of the CIA Triad to real-world security scenarios
  • Explain how defense-in-depth uses multiple security layers to protect systems
  • Distinguish between deterrent, preventive, detective, and corrective physical security controls
  • Calculate Annual Loss Expectancy (ALE) and compare qualitative vs. quantitative risk assessment
  • Differentiate authentication from authorization and explain least-privilege principles
CIA Triad Confidentiality Integrity Availability Defense-in-Depth Mantrap Risk Assessment ALE Least Privilege MFA

2.1 The CIA Triad

The CIA Triad is the foundational model of information security, representing the three core properties every security program must protect: Confidentiality, Integrity, and Availability. Every security control, policy, or attack can be mapped to one or more of these three properties.
🔒

Confidentiality

Only authorized users can access data. Prevents unauthorized disclosure.

📋

Integrity

Data is accurate and unaltered. Prevents unauthorized modification.

☀️

Availability

Systems are accessible when needed. Prevents unauthorized disruption.

Confidentiality in Depth

Confidentiality ensures that information is accessible only to those authorized to see it. It is violated whenever someone accesses data they should not have access to—regardless of whether they modify or destroy it.

Control How It Protects Confidentiality Example
Encryption Renders data unreadable without the key AES-256 encrypting a laptop hard drive
Access Control Lists (ACLs) Restricts who can read files or directories Only HR can view payroll folders
Data Classification Labels sensitivity level to guide handling Top Secret, Confidential, Public
Need-to-Know Limits access even among authorized users Agents see only their own cases
⚠️ Common Misconception

Encryption alone does not guarantee confidentiality if key management is weak. An encrypted file sent with the decryption key in the same email is not effectively confidential—the control fails at the key management layer.

Integrity in Depth

Integrity ensures that data has not been altered in an unauthorized way. This covers both malicious tampering (an attacker modifying financial records) and accidental corruption (a database error flipping a bit).

Control How It Protects Integrity Example
Cryptographic Hashing Any change to data produces a completely different hash SHA-256 file checksums
Digital Signatures Verify both the sender and that content is unmodified Code signing certificates
Version Control Maintains history of changes and who made them Git commit logs
Write Protection Prevents modification of critical files Read-only OS partition

Availability in Depth

Availability ensures that systems and data are accessible to authorized users when they need them. Availability is violated by denial-of-service attacks, ransomware, and even poor system design that causes downtime.

Control How It Protects Availability Example
Redundancy Backup systems take over when primary fails RAID storage, failover servers
DDoS Mitigation Absorbs or filters flood traffic Cloudflare WAF rate limiting
Backups Restore data after ransomware or hardware failure Offsite daily backups
Patch Management Fixes vulnerabilities that attackers exploit for outages Monthly OS update schedule

Balancing the CIA Triad

In the real world, the three properties exist in tension. Increasing one often reduces another:

⚡ Real-World Trade-offs

Confidentiality vs. Availability: A hospital encrypts all patient records (confidentiality). During a power outage, the decryption key server goes offline and doctors cannot access critical records (availability failure). Solution: redundant key management servers.

Integrity vs. Availability: A financial system runs an integrity check on every transaction (integrity). Under high load, the checking process causes 30-second delays (availability degraded). Solution: asynchronous integrity verification.

Confidentiality vs. Integrity: Encrypting a log file protects its confidentiality but may prevent real-time integrity monitoring tools from reading it. Solution: encrypt at rest but allow monitored access in transit.

📋 Scenario 2A: The Vantex Breach

Vantex Corp stores employee Social Security numbers in a database. An attacker gains access and reads 10,000 records but does not modify or delete any data.

Which CIA properties were violated? Only Confidentiality—unauthorized disclosure occurred. Integrity was maintained (no modification) and Availability was maintained (no disruption). This is a critical exam distinction: a read-only breach with no modification violates only confidentiality.

2.2 Defense-in-Depth

Defense-in-Depth is a security strategy that employs multiple, independent layers of security controls so that if one layer fails, subsequent layers continue to protect the asset. It is modeled on the principle that no single control is perfect—redundancy across different control types reduces total risk.

Think of defense-in-depth like a medieval castle: a moat (perimeter), walls (network boundary), gates with guards (access control), an inner keep (critical data), and soldiers inside (endpoint protection). An attacker who bypasses the moat still faces the walls, gates, and guards.

The Seven Security Layers

7 Policies, Procedures & Awareness — Human layer (training, acceptable use policies)
6 Application — Secure coding, WAFs, input validation, patch management
5 Data — Encryption at rest, DLP, classification, backups
4 Endpoint — Antivirus, EDR, host firewall, device encryption
3 Network — Firewalls, IDS/IPS, VLANs, network segmentation
2 Perimeter — DMZ, edge routers, VPNs, DDoS protection
1 Physical — Locks, guards, mantraps, access badges, cameras
★ AP Exam Strategy

The AP exam tests whether you can identify WHICH layer a control belongs to. Remember: firewalls are network layer, antivirus is endpoint layer, and security awareness training is the human/policy layer. Confusing these is a common error.

Defense-in-Depth vs. Redundancy

❌ Redundancy (NOT Defense-in-Depth)

An organization installs three firewalls from the same vendor in series. If a new vulnerability is discovered in that firewall software, all three fail simultaneously. Three identical controls is redundancy, not defense-in-depth.

✔ True Defense-in-Depth

An organization uses a perimeter firewall, network segmentation, endpoint antivirus, file encryption, and mandatory MFA. Each control is independent and defends against different attack vectors. If the firewall is bypassed, the attacker still faces encryption and MFA.

Control Types Within Layers

Within any layer, controls can be classified by their purpose:

Type Goal Example
Preventive Stop an attack before it occurs Firewall blocking port 22, locked server room
Detective Identify an attack in progress or after the fact IDS alert, SIEM log analysis, camera footage
Corrective Minimize damage and restore normal operations Incident response plan, system restore from backup
Deterrent Discourage attackers from attempting an attack "CCTV in use" signs, visible security guards
📋 Scenario 2B: Analyzing a Security Incident

An attacker successfully bypasses Vantex's perimeter firewall using a zero-day exploit. However, they are stopped when they attempt to move laterally because internal network segmentation isolates departments. Security analysts detect the intrusion via SIEM alerts and contain it within 20 minutes.

Defense-in-Depth at work: The firewall (perimeter layer, preventive) failed. Network segmentation (network layer, preventive) stopped lateral movement. SIEM alerts (network layer, detective) triggered the response. The incident response plan (policy layer, corrective) contained the damage. Three independent layers functioned even after one failed.

2.3 Physical Security Controls

Physical security protects hardware, facilities, and personnel from physical threats including theft, vandalism, natural disasters, and unauthorized physical access. It is the foundation of the defense-in-depth model—all digital controls fail if an attacker has unrestricted physical access to hardware.

Physical Control Categories

Physical controls are classified by their function, not their form. The same physical object can serve multiple functions:

Category Definition Examples
Deterrent Discourages unauthorized access attempts Warning signs, visible cameras, security guards at entrance
Preventive Physically blocks unauthorized access Locked doors, fences, mantraps, badge readers
Detective Identifies and records unauthorized access Motion sensors, CCTV recording, access logs
Corrective Responds to and limits damage after an incident Fire suppression systems, emergency lockdown procedures
⚠️ Deterrent vs. Preventive: Critical Distinction

A "CCTV Recording" sign with no actual camera is a deterrent only—it may discourage attackers but does not physically prevent access. A working camera that records footage is detective. A locked door activated by badge is preventive. The AP exam frequently tests whether students confuse deterrent (psychological) with preventive (physical barrier).

Mantraps and Tailgating

A mantrap (also called an airlock or sally port) is a physical security entry system consisting of two interlocking doors—the first door must close and lock before the second door can open. Only one person may pass through at a time, and identity is verified in the enclosed space between the doors. Mantraps physically prevent tailgating.
Tailgating (also called piggybacking) occurs when an unauthorized person follows an authorized person through a secured entry point without independently authenticating. It is one of the most common physical security failures because it exploits social norms—people feel rude refusing to hold a door open.

🚨 Why Tailgating Is Effective

Tailgating works because it exploits social engineering, not technical vulnerabilities. An attacker dressed as a delivery person carrying packages walks behind an employee who badges in. The employee holds the door open as a courtesy—a normal human response. The attacker is now inside without ever authenticating.

Countermeasures: Mantraps, security awareness training, turnstiles, and a culture where employees are encouraged to challenge unrecognized individuals.

Layered Physical Security Design

🏢 Vantex Data Center Physical Security Layers

Layer 1 — Perimeter: Fencing with barbed wire, security lighting, and "Authorized Personnel Only" signage (deterrent + preventive)

Layer 2 — Building Entry: Manned security desk, badge reader required, visitor log (preventive + detective)

Layer 3 — Server Room Entry: Mantrap with biometric scanner (preventive — eliminates tailgating)

Layer 4 — Inside Server Room: CCTV cameras recording to offsite storage (detective), motion sensors after hours (detective)

Layer 5 — Individual Racks: Physical locks on server racks, tamper-evident seals (preventive + detective)

📋 Scenario 2C: The Tailgating Incident

Vantex posts large signs at data center entrances reading "CCTV Recording 24/7 — All Access Logged." No cameras are actually installed. A person in a delivery uniform tailgates through the main door and accesses the server room, stealing a hard drive.

Analysis: The signs functioned as a deterrent only (psychological, no physical barrier). They failed to prevent the intrusion because no mantrap or badge reader was present to stop tailgating. The absence of actual cameras eliminated the detective control. The incident reveals that deterrents without supporting preventive and detective controls provide very limited real protection.

2.4 Risk Assessment & Management

Risk is the potential for loss or harm when a threat exploits a vulnerability. Risk management is the process of identifying, analyzing, and responding to risks to reduce them to an acceptable level.

Core Definitions

Term Definition Example
Threat An event or actor that has the potential to cause harm Ransomware gang, disgruntled employee, hurricane
Vulnerability A weakness in a system that a threat can exploit Unpatched software, weak password policy, unlocked door
Risk The likelihood and impact of a threat exploiting a vulnerability Probability ransomware exploits the unpatched system
Control A safeguard that reduces threat, vulnerability, or impact Patch management, MFA, offsite backups
Risk = Threat × Vulnerability × Impact
Reduce ANY factor to reduce total risk

Qualitative vs. Quantitative Risk Assessment

📊 Qualitative Assessment

Uses descriptive categories (High / Medium / Low) rather than numeric values. Based on expert judgment and scenario analysis.

Pros: Faster, no financial data required, good for early-stage analysis

Cons: Subjective, hard to justify budget decisions

Example: "The risk of a phishing attack is HIGH likelihood and HIGH impact."

💰 Quantitative Assessment

Uses numeric values and financial calculations to express risk in dollar terms. Requires historical data and estimates.

Pros: Objective, supports ROI analysis for controls, defensible to executives

Cons: Time-intensive, requires reliable data, false precision risk

Example: "The ALE for a phishing breach is $240,000/year."

Quantitative Risk Formulas

The AP Cybersecurity exam expects you to calculate and interpret quantitative risk values:

Formula Term Definition
SLE = AV × EF Single Loss Expectancy Dollar loss from a single incident. Asset Value × Exposure Factor (% of asset lost)
ALE = SLE × ARO Annual Loss Expectancy Expected yearly loss. SLE × Annual Rate of Occurrence
ARO Annual Rate of Occurrence How many times per year the threat is expected to occur
📊 Worked Example: ALE Calculation

Vantex has a web server worth $400,000. Historical data shows ransomware incidents occur twice per year and each incident destroys 25% of the asset (EF = 0.25).

SLE = $400,000 × 0.25 = $100,000

ALE = $100,000 × 2 = $200,000/year

Decision: If a backup solution costs $60,000/year and reduces ALE to $20,000/year (savings of $180,000), the solution is cost-justified. If the control costs $250,000/year, it exceeds the risk it mitigates and should be reconsidered.

Risk Response Strategies

Strategy Definition When to Use Example
Mitigate (Reduce) Implement controls to lower likelihood or impact Risk exceeds tolerance, cost-effective controls exist Install MFA to reduce credential theft risk
Transfer Shift financial impact to a third party Risk is too costly to mitigate, insurance market exists Purchase cyber liability insurance
Accept Acknowledge the risk and take no additional action Risk is within tolerance or cost of control exceeds benefit Accept risk of minor website defacement for low-traffic site
Avoid Eliminate the activity that creates the risk Risk is too high and activity is not essential Discontinue storing SSNs that are no longer needed
💡 Exam Tip: Residual Risk

After applying controls, some risk always remains. This is called residual risk. No control eliminates risk to zero. The goal of risk management is to reduce risk to an acceptable level—not to zero. This distinction appears frequently in AP exam questions asking what the purpose of risk management is.

2.5 Access Controls & Authentication

Access control is the process of ensuring that only authorized entities can access resources. It involves three sequential steps: Identification (claiming an identity), Authentication (proving that identity), and Authorization (determining what the authenticated identity is allowed to do).

Identification, Authentication, and Authorization

Step Question Answered Example
Identification "Who are you?" — Claiming an identity Entering a username
Authentication "Prove it." — Verifying the claimed identity Entering a password, scanning a fingerprint
Authorization "What are you allowed to do?" — Granting permissions HR user can read payroll files but not modify system logs
Accounting "What did you do?" — Logging activity Audit log of file accesses

Authentication Factors

Authentication is classified by the type of evidence used to prove identity:

Factor Category Examples Weakness
Something You Know Knowledge Password, PIN, security question Can be guessed, phished, or stolen
Something You Have Possession Smart card, hardware token, phone (SMS code) Can be lost, stolen, or SIM-swapped
Something You Are Inherence Fingerprint, iris scan, voice recognition, facial recognition Cannot be changed if compromised; false rejection rates
Somewhere You Are Location IP geolocation, GPS location Can be spoofed with VPN or proxy
Multi-Factor Authentication (MFA) requires two or more factors from different categories. A password + a PIN is NOT MFA because both are "something you know." A password + a fingerprint IS MFA (knowledge + inherence). The AP exam frequently tests this distinction.

Least Privilege Principle

The Principle of Least Privilege (PoLP) states that every user, process, or system should be granted only the minimum permissions necessary to perform its intended function—and no more. This limits the "blast radius" of a compromised account.
❌ Violates Least Privilege

All employees at Vantex are given local administrator rights on their workstations "for convenience." When an employee's machine is infected with malware, the malware can install rootkits, disable antivirus, and spread across the network because it has admin rights.

✔ Applies Least Privilege

Employees have standard user accounts. Only IT staff have admin rights, and only to specific systems they manage. Malware infecting a standard account cannot install software or modify system files, dramatically limiting the attack's scope.

Access Control Models

Model Who Assigns Permissions Use Case
DAC (Discretionary) Resource owner decides who can access Personal file shares (typical OS)
MAC (Mandatory) System enforces classification labels (Top Secret, Secret) Military and government systems
RBAC (Role-Based) Permissions assigned to roles, users assigned to roles Enterprise systems (HR role, Finance role)
ABAC (Attribute-Based) Permissions based on attributes (department, time, location) Complex cloud environments
★ AP Exam Strategy: Zero Trust

Zero Trust is an emerging security model: "Never trust, always verify." It assumes breaches will occur and removes implicit trust from any network zone. Every request—even from inside the network—must be authenticated and authorized. Zero Trust is the opposite of the old "castle-and-moat" model where anything inside the perimeter was trusted. This concept is increasingly tested on the AP Cybersecurity exam.

📋 Scenario 2D: Access Control Failure at Vantex

A Vantex accounting clerk, Maria, needs access to the payroll database to enter timesheets. IT gives her full database administrator privileges "because it was easier to set up." Maria's credentials are compromised in a phishing attack. The attacker uses her DA privileges to exfiltrate the entire customer database, drop tables, and encrypt backups.

Violated Principles: (1) Least Privilege — Maria needed read/write on the timesheet table only, not full DA access. (2) Separation of Duties — no second approval was required for bulk data exports. (3) The attack would have been limited to timesheet data if least privilege was applied, containing the blast radius to a fraction of the actual damage.

★ Unit 2 Practice Questions

Predict the answer before reading the options. Cover the choices, form your answer, then compare.

1 Spot the Error

A security analyst states: "Our new policy requires all remote employees to authenticate with a username, a password, AND a four-digit PIN before VPN access is granted. This satisfies multi-factor authentication because three separate credentials are required."

Which statement BEST identifies the flaw in the analyst's reasoning?

  • (A) Three credentials are insufficient for MFA; at least four are required for high-security VPN access
  • (B) MFA requires credentials from at least two different factor categories; a username, password, and PIN are all "something you know"
  • (C) Usernames do not count as authentication factors and should not be included in MFA calculations
  • (D) PINs are inherently weaker than passwords and cannot satisfy any MFA requirement

Correct Answer: B

MFA requires factors from different categories (something you know, have, or are). Username, password, and PIN are all "something you know." Using three knowledge factors is not MFA—it is still single-factor authentication with extra steps. True MFA would require adding a hardware token (something you have) or biometric (something you are). Choice A invents a rule that does not exist. Choice C is incorrect; usernames serve identification, not authentication. Choice D is incorrect; PIN strength is a separate issue from MFA validity.

2 I / II / III

A hospital's electronic health record (EHR) system goes offline for 6 hours due to a ransomware attack. Patient records cannot be accessed, but the attacker did not read or modify any records before encrypting them.

Which of the following CIA properties were violated?

I. Confidentiality   II. Integrity   III. Availability

  • (A) I only
  • (B) III only
  • (C) I and III only
  • (D) I, II, and III

Correct Answer: B

The scenario states the attacker did NOT read records (confidentiality maintained) and did NOT modify records (integrity maintained). Encrypting the files and making them inaccessible for 6 hours directly violates Availability. Note: while ransomware encryption changes the file format, the data itself is not modified in the integrity sense—the original data can be fully restored from the decryption key. This is a nuanced but testable distinction. Only III (Availability) was violated.

3 Spot the Error

A network administrator configures three identical next-generation firewalls from the same vendor in series, claiming: "We now have defense-in-depth because we have three layers of protection instead of one."

Which statement BEST explains why this does NOT constitute defense-in-depth?

  • (A) Defense-in-depth requires a minimum of five distinct layers; three firewalls fall below this threshold
  • (B) Firewalls operate at the network layer only and cannot form a complete defense-in-depth strategy regardless of quantity
  • (C) Three identical controls from the same vendor share the same vulnerabilities; a single exploit targeting that vendor compromises all three simultaneously
  • (D) Defense-in-depth requires both hardware and software controls; three firewalls represent only hardware controls

Correct Answer: C

Defense-in-depth requires diverse, independent controls that defend against different attack vectors. Three identical firewalls from the same vendor share the same firmware vulnerabilities, configuration errors, and zero-day exposures. If a new exploit is discovered for that product, all three fail together—providing no additional protection beyond one. True defense-in-depth would combine a firewall, network segmentation, endpoint protection, data encryption, and user training—each from different categories and vendors where possible. Choice A invents a rule. Choice B is incorrect; firewalls are a valid layer in defense-in-depth. Choice D is incorrect; defense-in-depth has no such hardware/software requirement.

4 I / II / III

Vantex Corp has a database server valued at $500,000. Security analysts estimate that a SQL injection breach occurs on average once every two years (ARO = 0.5), and each incident compromises 40% of the database value (EF = 0.40).

A vendor offers a web application firewall (WAF) that reduces the ARO to 0.1 and costs $35,000 per year. Consider the following statements:

I. The SLE for a single breach is $200,000.
II. The ALE before the WAF is installed is $100,000 per year.
III. Installing the WAF is cost-justified because it reduces ALE by more than its annual cost.

  • (A) I only
  • (B) I and II only
  • (C) II and III only
  • (D) I, II, and III

Correct Answer: D

Statement I: SLE = AV × EF = $500,000 × 0.40 = $200,000

Statement II: ALE = SLE × ARO = $200,000 × 0.5 = $100,000/year

Statement III: With WAF: ALE = $200,000 × 0.1 = $20,000/year. ALE reduction = $100,000 − $20,000 = $80,000/year saved. WAF cost = $35,000/year. Net benefit = $80,000 − $35,000 = $45,000/year. The WAF is cost-justified. ✔

All three statements are correct.

5 Spot the Error

A security manager writes the following in the annual report: "The mantrap installed at our server room entrance is classified as a deterrent control because it makes potential attackers think twice before attempting unauthorized entry."

Which statement BEST identifies the error in the manager's classification?

  • (A) Mantraps are detective controls because they record who enters the secured area via cameras and logs
  • (B) Mantraps are preventive controls because they physically stop unauthorized individuals from entering even if they attempt to tailgate
  • (C) Mantraps are corrective controls because they isolate individuals who fail authentication between the two doors
  • (D) Mantraps cannot be classified as a single control type and must always be listed under multiple categories simultaneously

Correct Answer: B

A mantrap is a preventive control. It physically stops unauthorized entry—the second door will not open unless the first is sealed and authentication succeeds. A deterrent control discourages attempts psychologically (like a warning sign) but does not physically stop them. The mantrap does not merely discourage; it physically prevents tailgating and unauthorized access. While a mantrap may also have cameras (detective) and a holding mechanism (corrective), its primary function and correct classification is preventive. The manager has confused deterrent (psychological) with preventive (physical barrier).

6 I / II / III

Vantex is evaluating risk response strategies for three identified risks. Consider the following response decisions:

I. Vantex purchases cyber liability insurance to cover financial losses from data breaches. This is a risk transfer strategy.
II. Vantex decides not to collect customers' Social Security numbers because the compliance burden exceeds the business need. This is a risk mitigation strategy.
III. Vantex acknowledges that minor website defacement on a low-traffic test server could occur but chooses not to allocate resources to prevent it. This is a risk acceptance strategy.

  • (A) I only
  • (B) I and III only
  • (C) I and II only
  • (D) I, II, and III

Correct Answer: B

Statement I: Purchasing cyber insurance transfers the financial impact of a breach to the insurer. This is risk transfer. ✔ Correct.

Statement II: Choosing not to collect SSNs eliminates the activity that creates the risk. This is risk avoidance, not mitigation. Mitigation would mean still collecting SSNs but adding controls to protect them. ❌ Incorrect classification.

Statement III: Knowingly choosing not to act on a risk and accepting it as tolerable is risk acceptance. ✔ Correct.

Only I and III are correctly classified.

7 Free Response

A financial services firm is designing access controls for a new payroll system. Describe THREE specific access control measures the firm should implement, identify the principle each measure enforces, and explain how each measure reduces risk.

Sample Response:

Measure 1 — Role-Based Access Control (RBAC): Assign permissions based on job roles (e.g., Payroll Clerk role, Payroll Manager role, HR role). Enforces Least Privilege. Clerks can enter timesheet data but cannot approve payroll runs. Managers can approve but cannot modify pay rates without a second approver. This limits the data accessible to a compromised account to only what that role requires, reducing the blast radius of an insider threat or credential theft.

Measure 2 — Multi-Factor Authentication: Require employees to authenticate with a password (something you know) and a hardware token (something you have) before accessing the payroll system. Enforces Strong Authentication. Even if an employee's password is phished or stolen, the attacker cannot log in without physical possession of the hardware token. This is especially critical for payroll systems where credential theft is a primary attack vector.

Measure 3 — Separation of Duties: Require that no single employee can both enter and approve a payroll transaction. A second employee must review and authorize all payroll runs above a threshold. Enforces Separation of Duties. This prevents any individual—even a privileged one—from committing fraud or making unauthorized payments unilaterally. It also means a compromised account alone cannot initiate and complete a fraudulent payment without a second factor of human review.

AP Cybersecurity Study Guide | APCSExamPrep.com

AP® is a registered trademark of the College Board, which was not involved in the production of this guide.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]