AP Cybersecurity 2.3: Protecting Physical Spaces | Controls Guide

Score0 / 10
📅 Last Updated: June 2026 ~60 min 📚 Lesson 3 of 4 — Unit 2
AP Cybersecurity — Unit 2: Securing Spaces

Topic 2.3: Protecting Physical Spaces

Security awareness training, workstation security policies, fencing, locks, card readers, access control vestibules, USB port controls, and UPS — the managerial and physical controls that determine how well an organization defends its spaces against the attacks identified in Topic 2.2.

Lesson 3 of 4 ~60 min LO 2.3.A–2.3.B ~4 class periods Skill: Implement Controls
College Board Essential Knowledge Coverage

Topic 2.3 — What Is Testable

CED Ref Essential Knowledge Covered In
2.3.A.1 Training: detecting social engineering like phishing • not badging others into restricted areas • preventing device theft Section 2
2.3.A.2 Workstation policy: lock devices, clean desk, privacy screen, connect to UPS/surge protector Section 2
2.3.B.1 Control selection: how adversary exploits vulnerability → prevent, detect, or correct Section 5
2.3.B.2 Fencing, gates, bollards deter physical building access Section 3
2.3.B.3 Locks on doors, server cabinets, computers prevent access or theft Section 3
2.3.B.4 Card readers: log badge use by time/location; deny unauthorized badges Section 3
2.3.B.5 Access control vestibules and turnstiles prevent intentional or accidental unauthorized entry Section 3
2.3.B.6 Disabling USB ports prevents malware loading from external drives Section 3
2.3.B.7 UPS provides backup power per device; generators provide building-scale backup Section 3
2.3.B.8 Prioritize mitigations by severity of risk and cost of mitigation Section 5

Source: AP Cybersecurity CED, Effective Fall 2026. AP Skills: 2.A Identify security controls • 2.B Determine layered controls

In This Lesson
  • 2.3.1 — Learning Objectives (3 min)
  • 2.3.2 — Managerial Controls (2.3.A) (12 min)
  • 2.3.3 — Physical Mitigation Controls (2.3.B) (15 min)
  • 2.3.4 — Layering Controls: DiD Applied (8 min)
Continued
  • 2.3.5 — Prioritizing Mitigations (6 min)
  • 2.3.6 — Worked Scenarios (10 min)
  • 2.3.7 — Quick Reference Table (3 min)
  • 2.3.8 — FAQ (3 min)
♡ Bellringer — 3 Questions, 5 Minutes

Students answer independently before the lesson. No notes.

  1. A company installs a card reader on the server room door. Name one advantage card readers have over physical key locks that directly helps physical security investigations.
  2. A director says: “We installed an access control vestibule — piggybacking and tailgating are both eliminated.” What is the error?
  3. Budget: $10,000. Choice A: $8,000 access control vestibule for a High-risk server room. Choice B: $9,500 perimeter fencing for a Low-risk aesthetic concern. Which do you choose and why? (Use CED 2.3.B.8)

Answers: (1) Access log audit trail + instant deactivation. (2) Vestibule stops tailgating; piggybacking needs training. (3) A — severity first, then cost-effectiveness.

12.3.1 — Learning Objectives

  • Identify and describe managerial controls for physical security: security awareness training requirements and workstation security policy elements (2.3.A)
  • Determine appropriate physical mitigation strategies for each identified risk: fencing, gates, bollards, locks, card readers, access control vestibules, USB port disabling, UPS systems (2.3.B)
  • Apply defense-in-depth principles to physical space protection — layering controls so that bypassing one does not expose all assets
  • Prioritize mitigations based on severity of risk and cost-effectiveness of the control
  • Match the correct control type and function to each physical attack vector identified in Topic 2.2

22.3.2 — Managerial Controls for Physical Security (LO 2.3.A)

Managerial Controls Defined Rules, guidelines, policies, and procedures that specify what security behaviors are required and how people should act. They address the human layer of defense-in-depth. Unlike physical or technical controls, they work through training, policy enforcement, and organizational culture — not hardware or software.

Security Awareness Training (CED 2.3.A.1)

Organizations should conduct employee security awareness training to educate employees about how they contribute to physical security. The CED specifies three areas of training content:

Training Content Area 1: Detecting Social Engineering

  • Detecting social engineering attempts like phishing (CED 2.3.A.1 — exact language)
  • Not badging other people into restricted areas — not for anyone, ever, regardless of stated authority or urgency
  • Challenging unfamiliar persons in restricted areas ("who are you?")
  • Preventing device theft — keeping devices in sight and reporting suspicious physical activity

Training Content Area 2 & 3: Device and Information Security

  • Never plugging in unknown USB devices (combats USB drop attacks)
  • Preventing device theft — never leaving devices unattended in public
  • Reporting suspicious physical activity to security personnel
  • Understanding that clean desk policy is a security requirement, not a preference
★ AP Exam — Control Classification for Training

Security awareness training is classified as: Type = Managerial (it is a policy/procedure specifying required behavior) and Function = Preventive (it reduces the likelihood of attacks before they occur by changing human behavior). Do not classify it as Detective or Corrective.

Workstation Security Policy (CED 2.3.A.2)

Organizations maintain workstation security policies that outline specific measures to protect the physical workplace. Policies may have tiers of workstation security based on the sensitivity of data handled at that workstation. The CED specifies four required policy elements:

Requirement Attack It Prevents Why It Works
Lock devices before leaving unattended Unauthorized access via unattended session Screen lock forces re-authentication. An unattended logged-in session is an open door — no credentials required.
Clean desk policy Shoulder surfing of documents; document theft by visitors, cleaning staff, or passersby No sensitive information visible on any unattended desk at any time. Documents locked away, not left out.
Privacy screen filters or physical barriers Shoulder surfing of screen content Narrow viewing angle prevents neighbors or passersby from reading screen content. Required for open office environments handling sensitive data.
Connect devices to UPS or surge protectors Power disruption attacks and accidental power events UPS maintains power during outages; surge protectors prevent voltage damage. Both protect Availability by preventing unplanned downtime.
Check for UnderstandingDual Classification
Q 1 of 10

A company implements a policy requiring all employees to lock their workstation screens whenever they step away, regardless of how briefly. How is this control correctly classified on both axes?

APhysical and Detective — the physical act of locking detects unauthorized access attempts.
BTechnical and Preventive — the screen lock software is a technical control that prevents unauthorized session access.
CManagerial and Preventive — the lock-screen policy specifying required employee behavior is a Managerial control; it reduces the likelihood of unauthorized access before it occurs (Preventative function).
DManagerial and Corrective — the policy corrects the behavior of employees who leave sessions open.

32.3.3 — Physical Mitigation Controls (LO 2.3.B)

Physical mitigation controls are tangible barriers and systems that prevent, deter, or limit physical attacks. The CED specifies the key principle for selecting controls: determine how an adversary would exploit the vulnerability, then select a control that directly blocks that exploitation mechanism.

Perimeter Controls

ControlFencing and Gates (2.3.B.2)
Create a controlled perimeter — anyone entering the facility grounds must pass through a monitored gate, reducing unauthorized physical proximity to buildings. Gates can be badge-controlled, requiring authentication before vehicle or pedestrian access to the facility grounds.
Function: Primarily Deterrent (visible perimeter signals monitoring) and Preventative (physical barrier). Type: Physical.
ControlBollards (2.3.B.2)
Reinforced posts installed in front of building entrances and vehicle-adjacent walls. Bollards prevent vehicle-based attacks (vehicle ramming) from reaching building entrances. They protect against both intentional attacks and accidental vehicle collisions.
AP Exam Note: Bollards are CED-specific vocabulary. Know: Physical type, Preventative function, primary threat = vehicle access. Not applicable to pedestrian-only threats.

Entry Controls

ControlLocks (2.3.B.3)
Physical locks on doors, server cabinets, and devices prevent unauthorized access or theft. The most basic physical control. Effectiveness is limited by key management — a lock is only as secure as the process for controlling who has a key.
ControlCard Readers (2.3.B.4)
Electronic access control using proximity or smart cards. Card readers provide two critical advantages over physical locks: (1) Instant deactivation — when a card is lost or an employee leaves, one system command revokes access without physical re-keying. (2) Access logging — every access event is recorded: who (badge ID), when (timestamp), where (door), and result (granted or denied). These logs are the primary forensic tool for physical security investigations.
Function: Preventative (controls access) and Detective (logs events). Type: Physical (and Technical for the electronic system).
ControlAccess Control Vestibules and Turnstiles (2.3.B.5)
The primary physical control against tailgating and piggybacking. The CED (2.3.B.5) states: "Access control vestibules and turnstiles can prevent an authorized person from intentionally or accidentally admitting an unauthorized person into a restricted area." An access control vestibule (sometimes called a mantrap) is a physical space with two sequential doors: the first must fully close before the second can open. Only one person occupies the vestibule at a time, requiring independent authentication at each door.
Access Control Vestibule vs. Piggybacking: A mantrap mechanically stops tailgating but does NOT fully prevent piggybacking — a cooperative authorized person could authenticate for the attacker at the second door. Training addresses piggybacking; access control vestibules address tailgating. Turnstiles are the lower-security version used in lobbies and transit systems.
Check for UnderstandingSpot the Error
Q 2 of 10

A security consultant states: "Installing an access control vestibule at the server room entrance will eliminate both tailgating and piggybacking threats completely." What is the error?

AThe statement is correct — mantraps physically prevent all unauthorized following.
BThe statement is wrong — a mantrap mechanically prevents tailgating (unauthorized following without awareness) but cannot prevent piggybacking if the authorized person cooperates and authenticates for the attacker at the second door. Training is still required to address piggybacking.
CThe statement is wrong — mantraps only address piggybacking, not tailgating, because tailgating requires no cooperation.
DThe statement is wrong — mantraps are ineffective against both attack types and should be replaced with security cameras.

Device and Infrastructure Controls

ControlDisabling USB Ports (2.3.B.6)
Organizations can disable USB ports to prevent external drives from loading malware onto computers or exfiltrating data. Implementation: software-based (Group Policy, BIOS settings) or physical (USB port blockers that fill the port opening). This directly addresses the port access exploitation mechanism from Topic 2.2.B.5.
Type: Technical (software/hardware implementation) or Physical (physical port blockers). Function: Preventive.
ControlUninterruptible Power Supplies (UPS) and Generators (2.3.B.7)
The CED (2.3.B.7) states: "An uninterruptible power supply (UPS) provides a backup power source for a device in the event of a power outage. Organizations can also use power generators to provide power at a larger scale to a building or set of critical devices." A UPS maintains availability during outages long enough for a graceful shutdown or until power is restored. A generator provides longer-duration backup at campus or building scale.
CIA protected: Availability. Type: Physical. Function: Preventative (prevents Availability impact of power disruption) — note the CED spells this "Preventative."
Check for UnderstandingControl Selection
Q 3 of 10

✎ Predict first: Xtensr Labs found a hardware keylogger in a workstation. What was the attack mechanism? Which control directly blocks that specific mechanism?

After discovering that an adversary inserted a hardware keylogger into a research workstation's USB port during an after-hours physical access event, Xtensr Labs wants to prevent this specific attack vector in future. Which control most directly addresses the exploitation mechanism?

AInstall a mantrap at the server room entrance to prevent future unauthorized physical access.
BImplement a clean desk policy to prevent credentials from being visible on desks.
CDisable USB ports on all research workstations via Group Policy, or install physical USB port blockers in all exposed USB slots.
DInstall a UPS on all research workstations to protect against power disruption.

42.3.4 — Layering Controls: Defense-in-Depth Applied to Physical Security

Effective physical security applies the same layering principle as digital security: an adversary must defeat multiple independent controls to reach their objective. No single physical control is sufficient.

ScenarioXtensr Labs Physical Security Redesign — Layered Approach

Vulnerabilities identified (from Topic 2.2 assessment): No perimeter fencing; server room single-factor keycard; no camera inside corridor; USB ports active on all workstations; no shredding policy; no clean desk enforcement; no UPS on critical servers.

Layered mitigation — outside in:

P

Perimeter Layer

Install fencing with badge-controlled gate (prevents unauthorized facility grounds access); install bollards at main entrance (prevents vehicle ramming).

E

Entry Layer

Upgrade main entrance to card reader + PIN two-factor; install access control vestibule at server room entry (eliminates tailgating mechanically).

R

Room Layer

Add CCTV with motion detection in server room corridor; disable USB ports on all research machines; cable-lock workstations to desks.

H

Human Layer

Quarterly security awareness training (piggybacking refusal, USB drop awareness); clean desk policy with enforcement; visitor escort policy requiring badge at all times.

D

Data Protection Layer

Cross-cut shredder mandated for all sensitive documents; secure media destruction policy (physical destruction before disposal); UPS on all critical servers and network equipment.

Result

An adversary attempting to reach the server room now faces: fenced perimeter → badge-gated entry → access control vestibule → CCTV surveillance → USB-disabled workstations → shredding and media destruction requirements. Defeating one layer does not automatically expose the next.

Check for UnderstandingI/II/III
Q 4 of 10

Which of the following statements about physical mitigation controls are TRUE according to the AP CED?

I. Organizations should prioritize physical security mitigations based on severity of risk and cost-effectiveness of the solution.
II. An access control vestibule eliminates both tailgating and piggybacking without requiring any complementary controls.
III. Fencing and gates function as perimeter controls that deter and prevent unauthorized access before an adversary reaches the building itself.

AII only
BI and II only
CI and III only
DI, II, and III

52.3.5 — Prioritizing Physical Mitigations (CED 2.3.B.1 and 2.3.B.8)

CED 2.3.B.1 — How to Determine the Relevant Control "A cyber defender considers how an adversary could take advantage of the vulnerability and selects controls that prevent, detect, or correct that attack." The mechanism of exploitation determines the control — not the general risk category.

Three-Step Control Selection Process

1Identify the attack type and mechanism
How exactly would an adversary exploit this vulnerability? Is it tailgating? Dumpster diving? USB insertion? The specific mechanism determines which control works.
2Determine when the control must act
Before the attack attempt (Preventive)? During or after (Detective)? After damage occurs (Corrective)? Match the function to the need — if prevention is required, a detective-only control is insufficient.
3Prioritize by severity, then cost-effectiveness
High-severity risks first. Among same-severity risks, cost-effective solutions (cost of control less than expected annual loss from the attack) take priority. Avoid controls that cost more than the risk they address.
Check for UnderstandingPrioritization Scenario
Q 5 of 10

The Xtensr Labs security team has a $15,000 budget. Three vulnerabilities identified:

A. Access control vestibule at server room — $8,000 — addresses High risk tailgating threat
B. Decorative perimeter fencing — $12,000 — addresses Low risk aesthetic concern
C. Cross-cut shredder + media destruction policy — $1,200 — addresses Moderate risk dumpster diving

Which prioritization is BEST aligned with CED mitigation principles?

AFund B first ($12,000) — perimeter controls are the outermost defensive layer and should always be implemented before inner layers.
BFund A ($8,000) and C ($1,200) — prioritize by risk severity; High and Moderate risks total $9,200 within budget. The Low-risk decorative fencing at $12,000 is not cost-effective relative to the risk level it addresses.
CFund all three simultaneously — all identified vulnerabilities must be addressed before any mitigation is complete.
DFund C only ($1,200) — minimize expenditure until the organization can assess all risks comprehensively.

62.3.6 — Worked Scenarios

Check for UnderstandingMulti-Control Selection
Q 6 of 10

A hospital security audit finds employees frequently hold elevators for unfamiliar people rushing to board, regardless of whether they recognize them. Sensitive patient records are accessible on open terminals throughout all floors. Which combination of controls best addresses the specific threats present?

AInstall CCTV cameras in all elevators and corridors to deter and detect unauthorized access.
BSecurity awareness training (teaching employees to require badge verification before holding doors — addresses piggybacking) + screen lock policy on all terminals (prevents unauthorized access to patient records from unattended sessions).
CInstall bollards at the hospital entrance to prevent vehicle access to the building.
DDisable USB ports on all terminal computers to prevent data theft via removable media.
Check for UnderstandingWorkstation Policy
Q 7 of 10

✎ Predict first: The CFO handles sensitive financials in an open office and steps away for 10-15 minutes. What specific risks exist and which workstation policy elements address each?

Xtensr Labs' CFO works in a shared open office during quarterly earnings preparation. She reviews sensitive financial documents on her screen, and steps away frequently for 10-15 minute meetings. Which combination of workstation policy requirements best addresses the security risks present?

AScreen lock policy only — locking the screen when leaving addresses the primary risk.
BScreen lock policy (prevents unauthorized session access during absences) + privacy screen filter (blocks shoulder surfing of financial data from open-office neighbors and visitors) + clean desk policy (prevents physical document exposure when she steps away). Three risks, three controls.
CMove the CFO to a private office — this eliminates all open-office security concerns.
DInstall a mantrap outside the open office to prevent unauthorized physical access to the floor.
Check for UnderstandingUPS Function
Q 8 of 10

Which statement best describes the primary security function of a UPS in the context of the AP CED physical security framework?

AA UPS prevents adversaries from physically accessing a server room by triggering an alarm when power is disrupted.
BA UPS protects the Availability CIA property by providing battery backup power to maintain system operation during outages or power-disruption attacks, preventing authorized users from losing access to systems and data.
CA UPS primarily protects Confidentiality by encrypting data stored on powered systems during power events.
DA UPS is primarily a detective control that logs power disruption events for later forensic review.
Check for UnderstandingCard Reader Advantage
Q 9 of 10

An organization is deciding between a physical key lock and an electronic card reader for a server room door. Which advantage of card readers over physical locks is most directly relevant to the AP CED?

ACard readers are more resistant to physical lock-picking than traditional pin tumbler locks.
BCard readers can be instantly deactivated for a specific badge when a card is lost or an employee leaves, and they generate a timestamped access log of who entered, when, and whether access was granted or denied — physical keys provide neither capability.
CCard readers automatically notify security personnel when an unauthorized badge attempts access.
DCard readers are significantly less expensive than high-security physical locks, making them more cost-effective for organizations.
End of LessonComprehensive Integration
Q 10 of 10
As the Xtensr Labs physical security consultant, you present your mitigation recommendations. The facility director pushes back: "The server room mantrap is expensive. Can't we just add more security cameras and additional training instead? Cameras will deter anyone, and our staff is already pretty security-aware."

Which response best applies the CED's control selection and prioritization principles?

AThe director is correct — cameras and additional training together provide equivalent protection to a mantrap at lower cost, and user-facing controls are more flexible.
BCameras are detective controls (they record but don't stop tailgating) and training addresses piggybacking but not tailgating. A mantrap is the only control that mechanically prevents tailgating — which is a High-risk threat at the server room. The cost is justified by the severity. Cameras and training should supplement, not replace, the mantrap.
CAccept the risk — the server room tailgating threat is unlikely enough that cameras and training represent acceptable residual risk without a mantrap.
DDefer the decision until a quantitative risk assessment provides exact dollar figures for the tailgating risk, then compare to mantrap cost.

72.3.7 — Quick Reference: Control Selection by Attack

Attack Type Primary Preventive Control Supporting Managerial Control
Tailgating Access control vestibule (or turnstile) Security awareness training
Piggybacking Security awareness training (primary); mantrap (secondary) Visitor escort policy; "challenge culture"
Shoulder Surfing (screen) Privacy screen filter Workstation security policy
Shoulder Surfing (keypad) Physical keypad hood / barrier Security awareness training
Dumpster Diving Cross-cut shredder; secure media destruction Clean desk policy; secure disposal policy
Card Cloning Card + PIN two-factor; RFID-blocking sleeves Access log review policy
USB/Keylogger Insertion Disable USB ports; physical port blockers Acceptable use policy (no external devices)
Power Disruption UPS; generators; secured electrical systems Business continuity plan
Vehicle Ramming Bollards Perimeter access policy
Unauthorized facility access Fencing + badge-controlled gate; locks; card readers Visitor management policy
  • What is the difference between a mantrap and a turnstile?

    A mantrap (access control vestibule) has two sequential locked doors with a small contained space between them — the first must fully close before the second opens, and each person authenticates independently. A turnstile requires one badge scan per rotation and is used in lower-security environments. Turnstiles reduce tailgating significantly but are not as absolute as mantraps — determined adversaries can sometimes jump over or force a turnstile. The AP exam uses "access control vestibule" as the CED term; mantrap is the common name for the same concept.

  • Why is UPS listed under both Workstation Security Policy and Physical Mitigation Controls?

    Because a UPS serves both functions at different scales. Under Workstation Security Policy (2.3.A.2), UPS refers to the requirement that individual workstations be connected to surge protectors or UPS units. Under Physical Mitigation Controls (2.3.B.7), UPS refers to building-level or server-room-level power backup systems. The protection goal is the same (Availability), but the implementation scale differs.

  • Are bollards always the answer for vehicle-related physical threats?

    Bollards are the CED-specified control for vehicle-ramming threats to building entrances. For vehicle access control more generally, gates with badge readers at the facility perimeter are appropriate. Bollards address the specific threat of a vehicle being used as a weapon to drive through a building entrance — they physically stop vehicle momentum. For pedestrian access, bollards are irrelevant; for vehicle traffic management, gates are the appropriate control.

Premium Feature

1-on-1 Expert Support

Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.

2,067+ Verified Hours 5.0 Wyzant Rating
Learn About Expert Sessions →
TC
Tanner Crow
AP Computer Science Teacher — Blue Valley North High School

Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. 2,067+ verified tutoring hours, 5.0 rating from 499+ reviews.

11+ Years Teaching AP CS 2,067+ Verified Tutoring Hours 499+ Five-Star Reviews 5.0 Rating on Wyzant
Content last reviewed and updated: June 2026
📋 Exit Ticket — Topic 2.3 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. The CED names three specific things security awareness training should cover. List all three exactly. (AP Skill: Mitigate Risk)
  2. Classify each on both axes — type AND function: (a) Required policy: lock screens before stepping away. (b) CCTV camera in server room corridor. (c) Automatic backup restoration after ransomware. (AP Skill: Mitigate Risk)
  3. In one sentence, explain why an access control vestibule prevents tailgating but does not fully prevent piggybacking alone. (AP Skill: Mitigate Risk)
  4. Budget $5,000: (A) Access control vestibule $6,000 — High risk server room tailgating. (B) Cross-cut shredder $400 — Moderate risk dumpster diving. (C) USB port disabling policy $0 — High risk keylogger attacks. What should the school implement and why? (AP Skill: Mitigate Risk)
  5. A CFO works in an open office handling financial reports and steps away frequently. Name three workstation policy controls and explain which threat each addresses. (AP Skill: Mitigate Risk)
Answer Key: (1) Detecting social engineering like phishing; not badging others into restricted areas; preventing device theft. (2a) Managerial + Preventative; (2b) Physical + Detective; (2c) Technical + Corrective. (3) Vestibule requires individual authentication per door mechanically, but a cooperative authorized person could still authenticate for the attacker inside. (4) Implement B ($400) and C ($0); defer A — severity + cost-effectiveness per CED 2.3.B.8; $0 + $400 addresses 1 High + 1 Moderate within budget. (5) Privacy screen (shoulder surfing of screen) + screen lock policy (unattended session) + clean desk (document theft/exposure).
← Topic 2.2 Exercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]