AP Cybersecurity 2.3: Protecting Physical Spaces | Controls Guide
Topic 2.3: Protecting Physical Spaces
Security awareness training, workstation security policies, fencing, locks, card readers, access control vestibules, USB port controls, and UPS — the managerial and physical controls that determine how well an organization defends its spaces against the attacks identified in Topic 2.2.
Topic 2.3 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 2.3.A.1 | Training: detecting social engineering like phishing • not badging others into restricted areas • preventing device theft | Section 2 |
| 2.3.A.2 | Workstation policy: lock devices, clean desk, privacy screen, connect to UPS/surge protector | Section 2 |
| 2.3.B.1 | Control selection: how adversary exploits vulnerability → prevent, detect, or correct | Section 5 |
| 2.3.B.2 | Fencing, gates, bollards deter physical building access | Section 3 |
| 2.3.B.3 | Locks on doors, server cabinets, computers prevent access or theft | Section 3 |
| 2.3.B.4 | Card readers: log badge use by time/location; deny unauthorized badges | Section 3 |
| 2.3.B.5 | Access control vestibules and turnstiles prevent intentional or accidental unauthorized entry | Section 3 |
| 2.3.B.6 | Disabling USB ports prevents malware loading from external drives | Section 3 |
| 2.3.B.7 | UPS provides backup power per device; generators provide building-scale backup | Section 3 |
| 2.3.B.8 | Prioritize mitigations by severity of risk and cost of mitigation | Section 5 |
Source: AP Cybersecurity CED, Effective Fall 2026. AP Skills: 2.A Identify security controls • 2.B Determine layered controls
- 2.3.1 — Learning Objectives (3 min)
- 2.3.2 — Managerial Controls (2.3.A) (12 min)
- 2.3.3 — Physical Mitigation Controls (2.3.B) (15 min)
- 2.3.4 — Layering Controls: DiD Applied (8 min)
- 2.3.5 — Prioritizing Mitigations (6 min)
- 2.3.6 — Worked Scenarios (10 min)
- 2.3.7 — Quick Reference Table (3 min)
- 2.3.8 — FAQ (3 min)
Students answer independently before the lesson. No notes.
- A company installs a card reader on the server room door. Name one advantage card readers have over physical key locks that directly helps physical security investigations.
- A director says: “We installed an access control vestibule — piggybacking and tailgating are both eliminated.” What is the error?
- Budget: $10,000. Choice A: $8,000 access control vestibule for a High-risk server room. Choice B: $9,500 perimeter fencing for a Low-risk aesthetic concern. Which do you choose and why? (Use CED 2.3.B.8)
Answers: (1) Access log audit trail + instant deactivation. (2) Vestibule stops tailgating; piggybacking needs training. (3) A — severity first, then cost-effectiveness.
12.3.1 — Learning Objectives
- Identify and describe managerial controls for physical security: security awareness training requirements and workstation security policy elements (2.3.A)
- Determine appropriate physical mitigation strategies for each identified risk: fencing, gates, bollards, locks, card readers, access control vestibules, USB port disabling, UPS systems (2.3.B)
- Apply defense-in-depth principles to physical space protection — layering controls so that bypassing one does not expose all assets
- Prioritize mitigations based on severity of risk and cost-effectiveness of the control
- Match the correct control type and function to each physical attack vector identified in Topic 2.2
22.3.2 — Managerial Controls for Physical Security (LO 2.3.A)
Security Awareness Training (CED 2.3.A.1)
Organizations should conduct employee security awareness training to educate employees about how they contribute to physical security. The CED specifies three areas of training content:
Training Content Area 1: Detecting Social Engineering
- Detecting social engineering attempts like phishing (CED 2.3.A.1 — exact language)
- Not badging other people into restricted areas — not for anyone, ever, regardless of stated authority or urgency
- Challenging unfamiliar persons in restricted areas ("who are you?")
- Preventing device theft — keeping devices in sight and reporting suspicious physical activity
Training Content Area 2 & 3: Device and Information Security
- Never plugging in unknown USB devices (combats USB drop attacks)
- Preventing device theft — never leaving devices unattended in public
- Reporting suspicious physical activity to security personnel
- Understanding that clean desk policy is a security requirement, not a preference
Security awareness training is classified as: Type = Managerial (it is a policy/procedure specifying required behavior) and Function = Preventive (it reduces the likelihood of attacks before they occur by changing human behavior). Do not classify it as Detective or Corrective.
Workstation Security Policy (CED 2.3.A.2)
Organizations maintain workstation security policies that outline specific measures to protect the physical workplace. Policies may have tiers of workstation security based on the sensitivity of data handled at that workstation. The CED specifies four required policy elements:
| Requirement | Attack It Prevents | Why It Works |
|---|---|---|
| Lock devices before leaving unattended | Unauthorized access via unattended session | Screen lock forces re-authentication. An unattended logged-in session is an open door — no credentials required. |
| Clean desk policy | Shoulder surfing of documents; document theft by visitors, cleaning staff, or passersby | No sensitive information visible on any unattended desk at any time. Documents locked away, not left out. |
| Privacy screen filters or physical barriers | Shoulder surfing of screen content | Narrow viewing angle prevents neighbors or passersby from reading screen content. Required for open office environments handling sensitive data. |
| Connect devices to UPS or surge protectors | Power disruption attacks and accidental power events | UPS maintains power during outages; surge protectors prevent voltage damage. Both protect Availability by preventing unplanned downtime. |
A company implements a policy requiring all employees to lock their workstation screens whenever they step away, regardless of how briefly. How is this control correctly classified on both axes?
32.3.3 — Physical Mitigation Controls (LO 2.3.B)
Physical mitigation controls are tangible barriers and systems that prevent, deter, or limit physical attacks. The CED specifies the key principle for selecting controls: determine how an adversary would exploit the vulnerability, then select a control that directly blocks that exploitation mechanism.
Perimeter Controls
Entry Controls
A security consultant states: "Installing an access control vestibule at the server room entrance will eliminate both tailgating and piggybacking threats completely." What is the error?
Device and Infrastructure Controls
✎ Predict first: Xtensr Labs found a hardware keylogger in a workstation. What was the attack mechanism? Which control directly blocks that specific mechanism?
After discovering that an adversary inserted a hardware keylogger into a research workstation's USB port during an after-hours physical access event, Xtensr Labs wants to prevent this specific attack vector in future. Which control most directly addresses the exploitation mechanism?
42.3.4 — Layering Controls: Defense-in-Depth Applied to Physical Security
Effective physical security applies the same layering principle as digital security: an adversary must defeat multiple independent controls to reach their objective. No single physical control is sufficient.
Vulnerabilities identified (from Topic 2.2 assessment): No perimeter fencing; server room single-factor keycard; no camera inside corridor; USB ports active on all workstations; no shredding policy; no clean desk enforcement; no UPS on critical servers.
Layered mitigation — outside in:
Perimeter Layer
Install fencing with badge-controlled gate (prevents unauthorized facility grounds access); install bollards at main entrance (prevents vehicle ramming).
Entry Layer
Upgrade main entrance to card reader + PIN two-factor; install access control vestibule at server room entry (eliminates tailgating mechanically).
Room Layer
Add CCTV with motion detection in server room corridor; disable USB ports on all research machines; cable-lock workstations to desks.
Human Layer
Quarterly security awareness training (piggybacking refusal, USB drop awareness); clean desk policy with enforcement; visitor escort policy requiring badge at all times.
Data Protection Layer
Cross-cut shredder mandated for all sensitive documents; secure media destruction policy (physical destruction before disposal); UPS on all critical servers and network equipment.
An adversary attempting to reach the server room now faces: fenced perimeter → badge-gated entry → access control vestibule → CCTV surveillance → USB-disabled workstations → shredding and media destruction requirements. Defeating one layer does not automatically expose the next.
Which of the following statements about physical mitigation controls are TRUE according to the AP CED?
I. Organizations should prioritize physical security mitigations based on severity of risk and cost-effectiveness of the solution.
II. An access control vestibule eliminates both tailgating and piggybacking without requiring any complementary controls.
III. Fencing and gates function as perimeter controls that deter and prevent unauthorized access before an adversary reaches the building itself.
52.3.5 — Prioritizing Physical Mitigations (CED 2.3.B.1 and 2.3.B.8)
Three-Step Control Selection Process
The Xtensr Labs security team has a $15,000 budget. Three vulnerabilities identified:
A. Access control vestibule at server room — $8,000 — addresses High risk tailgating threat
B. Decorative perimeter fencing — $12,000 — addresses Low risk aesthetic concern
C. Cross-cut shredder + media destruction policy — $1,200 — addresses Moderate risk dumpster diving
Which prioritization is BEST aligned with CED mitigation principles?
62.3.6 — Worked Scenarios
A hospital security audit finds employees frequently hold elevators for unfamiliar people rushing to board, regardless of whether they recognize them. Sensitive patient records are accessible on open terminals throughout all floors. Which combination of controls best addresses the specific threats present?
✎ Predict first: The CFO handles sensitive financials in an open office and steps away for 10-15 minutes. What specific risks exist and which workstation policy elements address each?
Xtensr Labs' CFO works in a shared open office during quarterly earnings preparation. She reviews sensitive financial documents on her screen, and steps away frequently for 10-15 minute meetings. Which combination of workstation policy requirements best addresses the security risks present?
Which statement best describes the primary security function of a UPS in the context of the AP CED physical security framework?
An organization is deciding between a physical key lock and an electronic card reader for a server room door. Which advantage of card readers over physical locks is most directly relevant to the AP CED?
Which response best applies the CED's control selection and prioritization principles?
72.3.7 — Quick Reference: Control Selection by Attack
| Attack Type | Primary Preventive Control | Supporting Managerial Control |
|---|---|---|
| Tailgating | Access control vestibule (or turnstile) | Security awareness training |
| Piggybacking | Security awareness training (primary); mantrap (secondary) | Visitor escort policy; "challenge culture" |
| Shoulder Surfing (screen) | Privacy screen filter | Workstation security policy |
| Shoulder Surfing (keypad) | Physical keypad hood / barrier | Security awareness training |
| Dumpster Diving | Cross-cut shredder; secure media destruction | Clean desk policy; secure disposal policy |
| Card Cloning | Card + PIN two-factor; RFID-blocking sleeves | Access log review policy |
| USB/Keylogger Insertion | Disable USB ports; physical port blockers | Acceptable use policy (no external devices) |
| Power Disruption | UPS; generators; secured electrical systems | Business continuity plan |
| Vehicle Ramming | Bollards | Perimeter access policy |
| Unauthorized facility access | Fencing + badge-controlled gate; locks; card readers | Visitor management policy |
-
What is the difference between a mantrap and a turnstile?
A mantrap (access control vestibule) has two sequential locked doors with a small contained space between them — the first must fully close before the second opens, and each person authenticates independently. A turnstile requires one badge scan per rotation and is used in lower-security environments. Turnstiles reduce tailgating significantly but are not as absolute as mantraps — determined adversaries can sometimes jump over or force a turnstile. The AP exam uses "access control vestibule" as the CED term; mantrap is the common name for the same concept.
-
Why is UPS listed under both Workstation Security Policy and Physical Mitigation Controls?
Because a UPS serves both functions at different scales. Under Workstation Security Policy (2.3.A.2), UPS refers to the requirement that individual workstations be connected to surge protectors or UPS units. Under Physical Mitigation Controls (2.3.B.7), UPS refers to building-level or server-room-level power backup systems. The protection goal is the same (Availability), but the implementation scale differs.
-
Are bollards always the answer for vehicle-related physical threats?
Bollards are the CED-specified control for vehicle-ramming threats to building entrances. For vehicle access control more generally, gates with badge readers at the facility perimeter are appropriate. Bollards address the specific threat of a vehicle being used as a weapon to drive through a building entrance — they physically stop vehicle momentum. For pedestrian access, bollards are irrelevant; for vehicle traffic management, gates are the appropriate control.
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. 2,067+ verified tutoring hours, 5.0 rating from 499+ reviews.
+Continue Learning
Students submit before leaving.
- The CED names three specific things security awareness training should cover. List all three exactly. (AP Skill: Mitigate Risk)
- Classify each on both axes — type AND function: (a) Required policy: lock screens before stepping away. (b) CCTV camera in server room corridor. (c) Automatic backup restoration after ransomware. (AP Skill: Mitigate Risk)
- In one sentence, explain why an access control vestibule prevents tailgating but does not fully prevent piggybacking alone. (AP Skill: Mitigate Risk)
- Budget $5,000: (A) Access control vestibule $6,000 — High risk server room tailgating. (B) Cross-cut shredder $400 — Moderate risk dumpster diving. (C) USB port disabling policy $0 — High risk keylogger attacks. What should the school implement and why? (AP Skill: Mitigate Risk)
- A CFO works in an open office handling financial reports and steps away frequently. Name three workstation policy controls and explain which threat each addresses. (AP Skill: Mitigate Risk)
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]