In AP Cybersecurity, confidentiality is the security principle that ensures only authorized individuals, systems, or processes can access data. It's the 'C' in the CIA triad, and systems lacking it are vulnerable to data theft or destruction.
Confidentiality means keeping data secret from anyone who isn't supposed to see it. Per EK 2.1.F.1, it ensures that only authorized individuals, systems, or processes can access data. If a system has no confidentiality, it's wide open to data theft or destruction.
Think of it as the lock on a diary. Confidentiality controls are the tools that enforce that lock: encryption that scrambles data so a thief gets gibberish, access controls that check who you are before letting you in, and authentication like passwords or biometrics. It's one of three pillars in the CIA triad, sitting next to integrity (data stays accurate) and availability (data stays accessible). Every security control you study should address at least one of these three principles, and confidentiality is the one focused on secrecy.
Confidentiality lives in Unit 2: Securing Spaces, specifically Topic 2.1 Cyber Foundations, and it directly supports AP Cybersecurity 2.1.F, identifying types of security controls. You can't classify a control without knowing which principle it protects, so confidentiality is a building block for the whole unit. It also connects to 2.1.G (defense in depth), because layered defenses stack multiple confidentiality controls so that if one fails, another still guards the data. On the exam, this is foundational vocabulary that shows up in control-classification questions across the unit.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryThe CIA Triad (Unit 2)
Confidentiality is the 'C' in the CIA triad. The other two are integrity (data is accurate) and availability (data is reachable when needed). Learning all three together is the fastest way to classify any security control correctly.
Defense in Depth (Unit 2)
A layered defense stacks multiple confidentiality controls so a single bypassed control doesn't expose the data. Encryption plus access control plus authentication all protect secrecy at different layers.
Social Engineering Attacks (Unit 2)
Pretexting, authority, and intimidation (EK 2.1.A) all try to trick someone into handing over secret data. They're attacks aimed straight at breaking confidentiality without ever touching a firewall.
Risk Assessment and Assets (Unit 2)
An asset like intellectual property or customer data is valuable precisely because it's supposed to stay confidential. When you assess risk, you're often measuring the threat to confidentiality of a specific asset.
Expect MCQs that hand you a scenario and ask which principle or control type it represents. A classic stem: 'A company wants to prevent malicious software on a laptop from sending sensitive data to external servers, which control is most appropriate?' That's a confidentiality question, because the goal is keeping data from leaking out. Another asks directly, 'Which of the following is an example of a confidentiality control?' Your job is to recognize encryption, access controls, and authentication (like biometric fingerprint scanning before entering a server room) as confidentiality-focused. Don't mix it up with integrity or availability controls. No released FRQ has used the term verbatim, but the principle underpins control-classification reasoning throughout Unit 2.
Confidentiality is about secrecy, keeping data from the wrong eyes. Integrity is about accuracy, keeping data from being tampered with or changed. Encryption protects confidentiality; a checksum or hash protects integrity. A system can leak secret data (confidentiality fail) while the data itself is still perfectly accurate (integrity intact).
Confidentiality ensures only authorized individuals, systems, or processes can access data, and it's the 'C' in the CIA triad.
Systems lacking confidentiality are vulnerable to data theft or destruction (EK 2.1.F.1).
Encryption, access controls, and authentication (like biometric scanning) are common confidentiality controls.
Confidentiality is about secrecy, integrity is about accuracy, and availability is about access, so don't confuse the three.
A defense-in-depth strategy layers multiple confidentiality controls so one failure doesn't expose the data.
Confidentiality is the security principle that ensures only authorized individuals, systems, or processes can access data. It's the 'C' in the CIA triad, and it's tested in Unit 2, Topic 2.1.
No. Confidentiality keeps data secret from unauthorized users, while integrity keeps data accurate and untampered. Encryption protects confidentiality; hashing and checksums protect integrity.
Encryption that scrambles data, access controls that restrict who can open files, and authentication like passwords or biometric fingerprint scanning all protect confidentiality. They all share one goal: keeping data away from anyone who isn't authorized.
Confidentiality is the 'C,' integrity is the 'I,' and availability is the 'A.' Every security control should address at least one of these three principles, and confidentiality is the one focused on secrecy.
Most often through MCQs that describe a scenario and ask which security control or principle applies. If the goal is stopping data from leaking or being seen by the wrong people, the answer is confidentiality.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.