AP Cybersecurity 2.1: Cyber Foundations

Score0 / 10
📅 Last Updated: June 2026 ~70 min 📚 Lesson 1 of 4 — Unit 2
AP Cybersecurity — Unit 2: Securing Spaces

Topic 2.1: Cyber Foundations

Social engineering tactics, adversary types, the six cyberattack phases, risk assessment, risk management strategies, security controls, and defense-in-depth — the conceptual framework underlying every AP Cybersecurity exam scenario.

Lesson 1 of 4 ~70 min LO 2.1.A–2.1.G ~8 class periods Skill: Analyze Risk
College Board Essential Knowledge Coverage

Topic 2.1 — What Is Testable

CED Ref Essential Knowledge Covered In
2.1.A.1–A.8 Eight social engineering principles: Pretexting, Authority, Intimidation, Consensus, Scarcity, Familiarity, Urgency, Trust Section 2
2.1.B.1–B.5 Five adversary types: Script kiddies, Hacktivists, Insider adversaries, Cyberterrorists, Transnational criminal organizations Section 3
2.1.C.1–C.7 Six attack phases: Reconnaissance, Initial access, Persistence, Lateral movement, Taking action, Evading detection Section 4
2.1.D.1–D.7 Risk assessment: threat/vulnerability/asset; likelihood; severity; quantitative vs. qualitative; documentation Section 5
2.1.E.1–E.6 Four strategies: Avoid, Transfer, Mitigate, Accept; residual risk; cost-effective solutions Section 6
2.1.F.1–F.3 CIA; control types (Physical/Technical/Managerial); control functions (Preventative/Detective/Corrective) Section 7
2.1.G.1–G.4 Defense-in-depth: different threats, resilience when one layer fails, six layers (human/physical/network/device/application/data) Section 8

Source: AP Cybersecurity CED, Effective Fall 2026. AP Skills: 1.A Identify vulnerabilities/threats • 2.A Identify security controls

In This Lesson
  • 2.1.1 — Learning Objectives (3 min)
  • 2.1.2 — Social Engineering Tactics (12 min)
  • 2.1.3 — Types of Adversaries (8 min)
  • 2.1.4 — Six Phases of a Cyberattack (10 min)
  • 2.1.5 — Risk Assessment (8 min)
Continued
  • 2.1.6 — Risk Management Strategies (6 min)
  • 2.1.7 — Security Controls Framework (8 min)
  • 2.1.8 — Defense-in-Depth (6 min)
  • 2.1.9 — Worked Scenarios & CFU (12 min)
  • 2.1.10 — Frequently Asked Questions (3 min)
♡ Bellringer — 3 Questions, 5 Minutes

Students answer independently before the lesson. No notes.

  1. A company’s server was compromised after an attacker spent three weeks chatting with an employee on LinkedIn before asking for system credentials. Which social engineering principle was primarily used, and why?
  2. A hacker downloads ransomware-as-a-service from a dark web forum and deploys it against a hospital. They do not understand how the tool works. What adversary type are they? Does skill level change the danger?
  3. After a breach, analysts find the attacker was inside the network for 47 days before stealing anything. The attacker’s malware sent updates to an external server every 6 hours. What attack phase does the 47-day period represent?

Answers: (1) Trust — rapport built over time before request. (2) Script kiddie — low skill regardless of damage caused. (3) Persistence — maintaining C2 access without re-exploiting initial vulnerability.

12.1.1 — Learning Objectives

  • Identify all eight social engineering tactics and the psychological principle behind each (2.1.A)
  • Classify the five adversary types by skill level, motivation, and behavior (2.1.B)
  • Identify and sequence all six phases of a cyberattack and match defenses to each phase (2.1.C)
  • Describe the risk assessment process and produce a qualitative or quantitative risk rating (2.1.D)
  • Apply all four risk management strategies and explain residual risk (2.1.E)
  • Classify security controls by CIA principle, type (Physical/Technical/Managerial), and function (Preventive/Detective/Corrective) (2.1.F)
  • Explain why defense-in-depth is necessary and describe how layers interact (2.1.G)

22.1.2 — Social Engineering Tactics

Social engineering is covered in depth in Unit 1 (Topic 1.1). Topic 2.1 revisits it because every attack in Unit 2's physical security context begins with manipulation — an adversary who piggybacks into a server room was first a social engineer. The AP CED identifies eight psychological principles adversaries weaponize.

Definition — Social Engineering Psychological manipulation of people into divulging confidential information or taking an action that compromises security. Attackers exploit human psychology rather than technical vulnerabilities — making it the most common initial access technique across all attack types.
Principle 1
Pretexting
Adversary creates a believable fabricated identity (IT support, vendor, regulator) that makes the request seem legitimate before it is made.
Exam signal: attacker claims a role or affiliation they don't have
Principle 2
Authority
Adversary impersonates someone with power — a manager, law enforcement, or IT admin — to override the target's skepticism and compel compliance.
Exam signal: impersonation of any official, expert, or executive role
Principle 3
Intimidation
Adversary states negative consequences (account suspension, arrest, job loss) if demands aren't met immediately, inducing fear-driven compliance.
Exam signal: threats, consequences, punishments stated explicitly
Principle 4
Consensus
Adversary creates social pressure by making the target believe everyone else has already complied. Compliance feels normal; refusal feels abnormal.
"You're the only one who hasn't verified your account."
Principle 5
Scarcity
Adversary creates a sense of limited time or availability that disables deliberate thinking and forces hasty action without verification.
Exam signal: deadlines, permanent consequences, "act now"
Principle 6
Familiarity
Adversary pretends to know the target personally or share something in common to build rapid, unearned trust before making the real request.
Claims to know your coworker, alma mater, or hometown
Principle 7
Urgency
Adversary creates an artificial time pressure — independent of scarcity — requiring immediate action. Urgency bypasses verification habits.
Exam signal: URGENT, immediately, right now, no time to call
Principle 8
Trust
Adversary invests time building genuine-seeming rapport before making the request. Highest success rate but requires the most preparation.
Weeks of LinkedIn contact before the actual attack request
★ AP Exam Tip — Principles Stack

Real attacks rarely use one principle. A well-crafted phishing email might combine Authority, Urgency, and Intimidation simultaneously. On the exam, identify the primary principle driving compliance — usually the one the target could not resist even if they suspected something was wrong.

Check for UnderstandingMatching
Q 1 of 10

✎ Before matching — which principle requires the attacker to invest time? Which is purely time-based pressure? Which uses consequences as leverage?

Match each social engineering principle to the scenario that best demonstrates it as the primary manipulation technique.

Click a principle on the left, then click its matching scenario on the right. Click a matched pair to undo it.
Principles
1Authority
2Scarcity / Urgency
3Intimidation
4Consensus
5Trust
Scenarios
A"All 14 of your colleagues have already completed verification — you are the last one remaining."
BA call from "the IRS" states your SSN was used in a crime and an agent is coming unless you provide a verification code.
CAn email warns your network account will be permanently deleted and you will be locked out of all systems if you don't reset it in 20 minutes.
D"Complete verification in the next 90 minutes or your account will be permanently suspended."
EAfter three weeks of helpful LinkedIn messages, a contact asks you for internal system access "to help with a project."

32.1.3 — Types of Adversaries

Understanding who attacks — and why — drives every defensive decision. Skill level determines which vulnerabilities are exploitable; motivation determines which assets are targeted. The AP CED defines five distinct adversary types, all directly testable.

Adversary Type Skill Motivation Key Characteristics & AP Exam Notes
Script Kiddies Low Recognition, curiosity, greed Use tools built by others. Don't understand how they work. Target known vulnerabilities — patching stops them. Exam trap: low skill ≠ low damage. They can deploy sophisticated ransomware tools without understanding the code.
Hacktivists Varies Political or social causes Believe goals justify illegal means. Typical attacks: DDoS, website defacement. Target: organizations they oppose ideologically, not randomly.
Insider Adversaries Varies Greed, revenge, coercion Most dangerous type: have legitimate credentials and physical access. Bypass all perimeter controls. Can be recruited by external adversaries. Defense: least privilege, separation of duties, behavioral monitoring — NOT firewalls.
Cyberterrorists High Political destabilization Target critical infrastructure: power grids, water systems, healthcare. Goal is widespread disruption of communities or nations, not financial gain.
Transnational Criminal Orgs High Financial gain Sophisticated, well-resourced, operate like businesses. Primary: ransomware-as-a-service, IP theft for illegal markets. Persistent, patient attackers.
Check for UnderstandingSpot the Error
Q 2 of 10

A security instructor states: "Script kiddies are not a significant threat because they lack the skill to create sophisticated attacks." Which statement correctly identifies the flaw?

AThe instructor is correct — skill level is the primary determinant of attack sophistication and therefore damage potential.
BThe instructor is wrong — skill level describes how tools are obtained, not the power of those tools. Script kiddies deploying ransomware-as-a-service can cause catastrophic damage without understanding the underlying code.
CThe instructor is partially correct — script kiddies are only dangerous once they upgrade to zero-day exploit tools obtained from nation-state actors.
DThe instructor is wrong only because script kiddies can improve their skills over time and become high-skilled adversaries.

42.1.4 — The Six Phases of a Cyberattack

⚠ Critical — Know All Six Phases

The AP CED specifies six phases. Many unofficial resources list only four, omitting Persistence and Evading Detection. The exam tests all six. Not all phases occur in every attack, and phases may overlap or repeat.

Phase 1Reconnaissance
Attacker gathers intelligence before attempting access. Passive: public records, social media, DNS data, job postings — no target contact. Active: port scanning, network mapping — may trigger IDS alerts. OSINT is the primary tool.
Defense: Minimize public attack surface. Monitor for active scanning. Limit information exposed in job postings and public directories.
Phase 2Initial Access
Attacker establishes first foothold. Common methods: phishing to steal credentials, exploiting an unpatched internet-facing vulnerability, credential stuffing with leaked passwords.
Defense: MFA, email filtering, patching, perimeter controls, least privilege access policies.
Phase 3Persistence
After gaining access, attacker establishes mechanisms to maintain that access — so they don't need to re-exploit the initial vulnerability. Methods: Remote Access Trojan (RAT) with C2 heartbeat, creating backdoor accounts, scheduled tasks, rootkits.
Defense: Behavioral monitoring for C2 traffic patterns, endpoint detection, network traffic anomaly analysis, immutable logging.
Exam note: Persistence is the phase most commonly omitted from unofficial study materials. A C2 heartbeat communication from a compromised endpoint = Persistence, not Initial Access.
Phase 4Lateral Movement
Attacker moves from initial access point toward higher-value targets: databases, domain controllers, financial systems. They escalate privileges and map the internal network using compromised credentials.
Defense: Network segmentation, privileged access management (PAM), behavioral monitoring for unusual internal traffic — accessing systems outside normal working hours or job function.
Phase 5Taking Action
Attacker achieves their objective: stealing data (exfiltration), encrypting files (ransomware), destroying systems (sabotage), or maintaining persistent long-term access. Maps directly to adversary motivation.
Defense: DLP tools, egress filtering, anomaly detection for large outbound transfers, incident response playbooks. Ransomware: offline backups with tested restoration.
Phase 6Evading Detection
Many adversaries — especially APT groups — cover their tracks. Methods: clearing Windows Event Logs, removing planted malware, altering file timestamps, disabling security tools. Goal: maintain long-term undetected access or prevent forensic attribution.
Defense: Immutable write-once logging, SIEM correlation, forensic integrity monitoring, Security Operations Center (SOC) with 24/7 alert review.
🔎 Mnemonic — R-I-P-L-T-E

Reconnaissance → Initial Access → Persistence → Lateral Movement → Taking Action → Evading Detection. Rest in peace — lateral to evading.

Check for UnderstandingI/II/III
Q 3 of 10

Which of the following statements about the six cyberattack phases are TRUE?

I. All six phases must occur in every cyberattack for it to be classified as a sophisticated attack.
II. A C2 heartbeat communication from a compromised endpoint is correctly classified as the Persistence phase, not Initial Access.
III. Network segmentation primarily defends against the Lateral Movement phase by containing an attacker who has already achieved Initial Access.

AI only
BI and III only
CII and III only
DI, II, and III

52.1.5 — Risk Assessment

Risk exists at the intersection of a threat, a vulnerability, and an asset. The AP CED defines risk assessment as evaluating two factors for each identified vulnerability: likelihood of exploitation and severity of damage if exploited.

Risk Formula Risk requires all three elements: an Asset (something of value), a Vulnerability (a weakness), and a Threat (a potential exploiter of that weakness). Eliminating any one eliminates that specific risk.
Dimension What It Measures Key Factors
Likelihood How probable is exploitation of this vulnerability? Value of target to adversaries; skill required; availability of exploits; adversary motivation; existing controls
Severity How damaging is exploitation if it occurs? Financial cost; operational disruption; reputational damage; regulatory penalties; recovery time and cost

Quantitative vs. Qualitative Assessment

Quantitative Risk Assessment

  • Assigns numeric dollar values to risks
  • Example: "$45,000 annual expected loss from this vulnerability"
  • More precise — enables direct cost-benefit comparison
  • Harder to produce — requires historical data

Qualitative Risk Assessment

  • Uses descriptive categories: High / Moderate / Low
  • Example: "High likelihood, High severity = Critical risk"
  • Faster to produce, more accessible to non-technical stakeholders
  • Less precise — categories can be subjective
Check for UnderstandingMCQ
Q 4 of 10

✎ Predict first: A hacktivist group targets a company's public website. The security team rates this high-likelihood, low-severity. What drives the high likelihood rating?

Xtensr Labs' security team assesses the risk of a hacktivist group targeting their public website following negative press coverage. They rate this High Likelihood, Low Severity. Which factor most explains the high likelihood rating?

AThe website is a high-value financial asset, making it an attractive target for financially motivated adversaries.
BThe hacktivist group has strong ideological motivation against Xtensr, the target (public website) is accessible via well-documented attack techniques, and the negative press has increased the group's attention on the company.
CSeverity of reputational damage automatically raises the likelihood rating in qualitative risk assessment.
DQuantitative risk assessment assigns a specific dollar value to the likelihood based on industry breach frequency statistics.

62.1.6 — Risk Management Strategies

After identifying and rating risks, organizations must decide how to handle each one. The AP CED specifies exactly four strategies — tested vocabulary on the AP exam.

Strategy What It Does When Applied Example
Avoid Stops the activity generating the risk entirely Risk outweighs all benefits; activity is not mission-critical Company stops accepting online credit cards — eliminates that data breach risk entirely
Transfer Shifts financial burden of the risk to another party Financial risk can be shared; operational risk cannot be transferred Cyber liability insurance; contractual indemnification with vendors
Mitigate Implements controls to reduce likelihood or impact Most common — activity must continue but risk is too high without controls Adding MFA, patching vulnerabilities, installing mantraps in server rooms
Accept Acknowledges the risk and takes no further action Residual risk is within tolerance; cost of control exceeds expected loss Accepting the low risk of an isolated legacy system that would be expensive to patch
Residual Risk The risk that remains after avoidance, transference, and mitigation have been applied. Risk acceptance is always acceptance of residual risk — not the original unmitigated risk. Absolute security is unattainable; residual risk always remains.
⚠ AP Exam Trap — Avoidance Limitations

Avoidance is not always possible. An organization cannot "avoid" activities that are core to its mission. A hospital cannot avoid storing patient data. A bank cannot avoid accepting deposits. For these organizations, mitigation is the only viable strategy for risks tied to mission-critical activities.

Check for UnderstandingScenario
Q 5 of 10

✎ Predict first: Xtensr adds biometrics + CCTV + quarterly audits to the server room. Some residual risk remains. What strategy was applied?

Xtensr Labs identifies that their server room keycard system (single-factor only) represents a high physical security risk. The security team implements biometric + keycard two-factor access, adds CCTV, and conducts quarterly access audits. A small residual risk remains because no system is perfect. Which risk management strategy was applied, and what does the remaining risk represent?

AAvoidance — the organization eliminated the server room access risk by removing the single-factor system.
BTransference — the risk was shifted to the biometric vendor through the service contract.
CMitigation — controls reduced the likelihood and impact, and the remaining risk is residual risk: the acknowledged remainder after mitigation, within the organization's tolerance.
DAcceptance — the organization acknowledged the risk and made no changes to the single-factor system.

72.1.7 — Security Controls Framework

The AP CED classifies security controls on two independent axes: type (what domain they operate in) and function (when in an attack lifecycle they act). Both are tested simultaneously — the exam will ask you to classify a single control on both axes.

CIA Principle Coverage

Property Ensures Violation = Representative Controls
Confidentiality Only authorized parties can access data Data theft, unauthorized disclosure Encryption, access controls, MFA, need-to-know policies
Integrity Data is accurate and unaltered without authorization Data modification, tampering, corruption Hashing, digital signatures, audit logs, version control
Availability Authorized users can access systems when needed Service disruption, system outage, DoS Redundancy, backups, load balancing, UPS, DDoS mitigation

Classification by Type

Type Domain Examples
Physical Security in physical space Locks, fences, cameras, bollards, mantraps, guards, UPS
Technical Security in digital systems Firewalls, antivirus, encryption, MFA, IDS/IPS, access control software
Managerial Policies, procedures, rules governing behavior Password policies, security awareness training, IRPs, access review schedules

Classification by Function

Function When It Acts Goal Examples
Preventative Before/during an attack attempt Stop the attack from succeeding Locks, encryption, access controls, firewalls
Detective During or after an attack Identify attacks as they occur or occurred IDS, CCTV recording, SIEM, access logs, security audits
Corrective After an attack Fix damage and restore operations Patching, backups and restoration, incident response plans
★ AP Exam Tip — Dual Classification

Every control gets classified on both axes. A camera = Physical (type) + Detective (function). Security awareness training = Managerial (type) + Preventative (function). An IDS = Technical (type) + Detective (function). Be ready to classify any described control on both axes in the same answer.

Check for UnderstandingDual Classification
Q 6 of 10

Xtensr Labs implements quarterly security awareness training requiring all employees to complete scenarios on tailgating and phishing identification. How is this control correctly classified on both axes?

APhysical and Detective — it physically trains employees to detect attacks
BTechnical and Preventive — the digital training platform is a technical control that prevents attacks
CManagerial and Preventive — it is a required policy/procedure (managerial type) that reduces the likelihood employees will enable attacks before they occur (preventive function)
DManagerial and Corrective — it corrects employee behavior after security incidents are discovered

82.1.8 — Defense-in-Depth

Defense-in-Depth (DiD) A security strategy using multiple independent layers of controls — physical, technical, and managerial — so that when one layer fails, others continue protecting the asset. Core principle: no single control is sufficient.

The AP CED gives three specific reasons why DiD is necessary — all three are testable:

Why Defense-in-Depth Is Necessary (CED 2.1.G)
1

Different threats require different controls

A firewall cannot stop a social engineering attack. Security awareness training cannot stop a network intrusion. Each layer addresses threats in its own domain — no single control covers all attack surfaces.

2

No single control is reliable enough to stand alone

Every control can fail, be misconfigured, or be deliberately bypassed. Multiple independent layers mean an attacker must defeat all of them simultaneously — exponentially increasing difficulty.

3

Resilience in data protection

When one control is bypassed, another may still prevent access or limit the damage. An attacker who defeats the firewall still faces endpoint controls; defeating those still faces data encryption. Each layer buys time and limits impact.

DiD Layers (CED 2.1.G)

Layer What It Protects Example Controls
Human People and their behavior Security awareness training, phishing simulations, password policies
Physical Hardware, facilities, access points Locks, mantraps, cameras, guards, bollards, fencing
Network Network traffic and perimeter Firewalls, IDS/IPS, DMZ, VPN, network segmentation
Device Individual endpoints Antivirus, host firewall, endpoint detection, full-disk encryption
Application Software and code Input validation, WAF, secure SDLC, code review
Data Stored and transmitted data Encryption at rest and in transit, access controls, DLP, backups
Check for UnderstandingMCQ
Q 7 of 10

A security team discovers an attacker bypassed the perimeter firewall (Network layer failed) via a phishing email, installed malware on an endpoint (Device layer failed to detect), but was stopped when trying to access the encrypted research database (Data layer held). Which statement best describes this outcome?

ADefense-in-depth failed — two layers were bypassed, indicating the strategy was ineffective.
BDefense-in-depth worked as designed — two layers failed but the data layer prevented the attacker from achieving their objective, demonstrating that no single failure exposes all assets.
CThis proves only the data layer matters — organizations should focus their entire budget on encryption.
DThe organization should have strengthened the perimeter rather than relying on inner layers.

92.1.9 — Worked Scenarios

1Vantex Financial — Attack Phase Timeline
Scenario: A forensic team reconstructs a security incident at Vantex Financial from system logs. Map each event to the correct attack phase.
1

Monday: 47 port scans from external IP against Vantex servers

Phase: Reconnaissance (Active) — Port scanning is active reconnaissance. It directly probes the target and may trigger IDS alerts, unlike passive OSINT.

2

Tuesday: Spear-phishing email sent to CFO's assistant referencing a real vendor

Phase: Initial Access (attempt) — The phishing email is the attacker's attempt to establish initial foothold. The OSINT research enabling the personalization occurred in Phase 1.

3

Wednesday: Assistant opens PDF; RAT installs, begins C2 heartbeat every 4 hours

Phase: Initial Access (success) + Persistence — The RAT installation is Initial Access. The C2 heartbeat is Persistence — the attacker now maintains access even if the phishing link is later blocked.

4

Thursday: RAT queries Active Directory for all users with domain admin privileges

Phase: Lateral Movement — Identifying high-privilege accounts is preparation for moving toward higher-value targets. The attacker has not yet exfiltrated data.

5

Friday 3:14 AM: 4.2 GB transferred to external IP

Phase: Taking Action (exfiltration) — Data theft is the primary objective achieved. The after-hours timing minimizes the chance of detection by SOC analysts.

6

Friday 3:22 AM: Windows Event Logs cleared on finance server

Phase: Evading Detection — Log clearing removes forensic evidence. This is a sophisticated move indicating an adversary who wants to maintain long-term access or prevent attribution.

AP Exam Application

When given a timeline and asked to identify phases: (1) identify the action, (2) determine what it enables — reconnaissance enables access attempts, persistence enables long-term access, lateral movement enables reaching the target, taking action is the goal, evading detection is covering tracks. The sequence R-I-P-L-T-E is the expected order, though not every attack uses all phases.

Check for UnderstandingPhase Mapping
Q 8 of 10

✎ Predict first: An attacker inside a compromised network scans for servers with admin shares accessible without credentials. What phase is this?

After compromising a workstation via a phishing email, an attacker uses the access to enumerate all network shares and identify which file servers have open administrative access. They then move to those servers and map their directory structures. Which attack phase does this activity represent, and which defense most directly addresses it?

APersistence — the attacker is establishing mechanisms to maintain access to multiple systems.
BLateral Movement — the attacker is moving from the initial access point toward higher-value targets, with network segmentation as the primary defense.
CReconnaissance — enumerating network shares is a reconnaissance technique.
DTaking Action — accessing file servers is the attacker's primary objective.
Check for UnderstandingSocial Engineering Application
Q 9 of 10

An employee receives an email appearing to come from the VP of Finance: "I am in a board meeting and cannot take calls. Wire $23,000 to this new vendor immediately — the contract closes in 2 hours if we miss this. Do NOT discuss with anyone until the payment clears."

Which social engineering principles are most responsible for the effectiveness of this attack?

AFamiliarity and Consensus — the employee knows the VP and is told everyone else approved the transaction.
BAuthority and Urgency — impersonating an executive (authority) combined with a 2-hour contract deadline and confidentiality instruction that eliminates verification (urgency) are the primary drivers.
CPretexting and Reciprocity — the fabricated board meeting backstory and implicit offer to advance the employee's career.
DIntimidation and Scarcity — the threat of contract loss creates intimidation pressure on the employee.
End of LessonComprehensive Integration
Q 10 of 10
Xtensr Labs' CISO proposes a $200,000 investment in a new AI-powered network intrusion detection system for the perimeter. A risk-informed security analyst responds: "Our highest-risk unmitigated vulnerabilities are currently the server room (single-factor keycard, no camera, tailgating occurs regularly) and staff with no phishing awareness training. Adding redundancy to the network layer while the Physical and Human layers are unprotected is poor risk prioritization."

Which combination of frameworks best supports the analyst's position?

ARisk transfer and defense-in-depth — purchasing cyber liability insurance instead of new technology addresses both arguments simultaneously.
BRisk assessment and defense-in-depth — risk assessment shows the Physical and Human layers carry unmitigated high-severity risks; defense-in-depth requires filling unprotected layers before adding redundancy to an already-defended Network layer.
CThe CISO is correct — technical controls at the network layer always take highest priority in security investment decisions.
DThe analyst cannot make this argument without a completed quantitative risk assessment assigning dollar values to all identified risks.

102.1.10 — Frequently Asked Questions

  • What is the difference between a threat, a vulnerability, and a risk?

    A vulnerability is a weakness (a server room with no camera). A threat is a potential cause of harm that could exploit that weakness (an insider adversary with access). Risk occurs when a specific threat can exploit a specific vulnerability to compromise a specific asset. All three elements are required — removing any one of them eliminates that specific risk. This is tested directly as a definitions question on the AP exam.

  • How do I remember all six attack phases in order?

    Use R-I-P-L-T-E: Reconnaissance, Initial Access, Persistence, Lateral Movement, Taking Action, Evading Detection. The most commonly missed phases are 3 (Persistence) and 6 (Evading Detection) — both explicitly in the CED. Remember: a C2 heartbeat = Persistence (not Initial Access); log clearing = Evading Detection (not Taking Action).

  • Can a single control be classified under more than one type and function?

    Yes — every control should be classified on both axes. A camera is Physical (type) and Detective (function). Security awareness training is Managerial (type) and Preventative (function). An automated patch management system is Technical (type) and Corrective (function). The AP exam tests whether you can apply both classifications simultaneously to a single described control.

  • What is residual risk and when is it accepted?

    Residual risk is the risk that remains after all mitigation, avoidance, and transference measures have been applied. Risk acceptance is always acceptance of residual risk — not of the original unmitigated risk. Organizations accept residual risk when it falls within their defined risk tolerance level. Absolute security (zero residual risk) is unattainable and is not the goal of any risk management framework.

  • Why is the insider threat particularly hard to defend against?

    Insider adversaries have legitimate credentials and physical access — meaning they bypass all perimeter defenses by design. A firewall does not stop an employee who is already inside the network with valid login credentials. Effective defenses focus on limiting scope (least privilege, need-to-know, separation of duties), monitoring behavior (access logs, behavioral analytics, UEBA), and making malicious activity detectable even when performed with valid credentials.

Premium Feature

1-on-1 Expert Support

Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.

2,067+ Verified Hours 5.0 Wyzant Rating 499+ Five-Star Reviews
Learn About Expert Sessions →
TC
Tanner Crow
AP Computer Science Teacher — Blue Valley North High School

Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews. His AP CSA students score 5s at more than double the national average (54.5% vs. 25.5% nationally).

11+ Years Teaching AP CS 2,067+ Verified Tutoring Hours 499+ Five-Star Reviews 54.5% of Students Score 5s 5.0 Rating on Wyzant
Content last reviewed and updated: June 2026
📋 Exit Ticket — Topic 2.1 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving. Target 70%+ on Q1–3 before advancing.

  1. An adversary calls pretending to be IT support and says the employee’s account will be deleted in 2 hours unless they verify their password. Name two social engineering principles at work and explain each. (AP Skill: Analyze Risk)
  2. True or False: A low-skilled adversary deploying ransomware-as-a-service is not a serious threat. Explain. (AP Skill: Analyze Risk)
  3. An attacker spent 31 days in a compromised network before stealing data. Malware sent updates to an external server every 6 hours during that time. Which attack phases occurred during those 31 days? (AP Skill: Analyze Risk)
  4. A security team implements MFA, firewalls, and IDS but no physical controls and no training. Using defense-in-depth, explain what is missing. (AP Skill: Mitigate Risk)
  5. A web server has $45,000 annual DDoS risk. A new firewall costs $8,000 to install and $2,000/year to maintain and reduces risk by 80%. Apply the CED cost-effectiveness principle. (AP Skill: Mitigate Risk)
Answer Key (teacher only): (1) Authority (impersonating IT) + Urgency (2-hour deadline prevents verification). (2) False — skill describes tool acquisition, not power; script kiddies deploying sophisticated tools cause serious damage. (3) Persistence (C2 heartbeat every 6 hours) + Lateral Movement (moving toward target data). (4) Missing Physical layer (locks, cameras, mantraps) and Human layer (training). (5) Yes — $10K/year cost vs. $36K/year risk reduction; cost less than expected loss = cost-effective.
← Unit 2 Overview Exercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]