In AP Cybersecurity, a managerial control (also called an administrative control) is a policy, procedure, or training program that guides how people protect physical spaces, such as security awareness training, workstation security policies, and clean desk rules.
A managerial control is the people-and-paperwork side of security. Instead of a lock or a firewall, it's a rule, a policy, or a training session that tells employees how to behave so the organization stays safe. Think of it as the rulebook, not the wall.
The CED ties this directly to physical security in topic 2.3. Two big examples show up under learning objective AP Cybersecurity 2.3.A. First, security awareness training teaches employees to spot phishing, refuse to badge strangers into restricted areas, and prevent device theft (EK 2.3.A.1). Second, a workstation security policy spells out how to protect a workspace, often with tiers based on how sensitive the data is, and usually requires locking devices and clearing desks (EK 2.3.A.2). Notice the pattern: managerial controls work by shaping human behavior, because the smartest lock in the world fails if someone holds the door open for an attacker.
This term lives in Unit 2: Securing Spaces, specifically topic 2.3 Protecting Physical Spaces. It directly supports learning objective AP Cybersecurity 2.3.A, which asks you to identify managerial controls related to physical security, and it connects to 2.3.B, where you pick mitigation strategies for physical vulnerabilities. The exam wants you to see that security isn't just hardware. A complete defense layers physical controls (fences, locks), technical controls (software, card readers), and managerial controls (policies, training) together. Recognizing which category a given safeguard falls into is a core skill the CED rewards.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryPhysical Control (Unit 2)
A physical control is the actual barrier (a lock, a fence, a bollard), while a managerial control is the policy that tells people to use it. The clean desk policy is managerial; the locking cabinet it points to is physical. The exam loves making you sort safeguards into the right bucket.
Technical Control (Unit 2)
Technical controls are enforced by technology, like card readers logging who enters a room. Managerial controls are enforced by humans following rules. The same goal, restricting access, can be reached through both, so know which mechanism is doing the work.
Security Policy (Unit 2)
A security policy is the written document that defines managerial controls. A workstation security policy or acceptable use policy is essentially a managerial control written down so everyone follows the same rules.
Least Privilege (Unit 2)
Least privilege is the principle that people get only the access they need. It's often enforced through managerial controls, like a policy that says only badged employees enter the server room, showing how a concept becomes a real rule.
Expect multiple-choice questions that describe a scenario and ask you to name the category. One stem describes employees completing security awareness training about phishing and device theft and asks which administrative practice that is; the answer is a managerial (administrative) control. Another describes an employee leaving sensitive contracts visible on a desk and asks which managerial control should prevent it; that's a clean desk policy. Your job is to read the scenario, spot whether the safeguard is a rule about behavior versus a physical barrier versus a piece of technology, and label it correctly. No released FRQ has used this term verbatim, but it grounds the kind of layered-defense reasoning a free-response question can ask you to explain.
A managerial control governs behavior through policies and training (a workstation security policy, awareness sessions). A physical control is a tangible barrier (a lock, fence, or bollard). The clean desk policy is managerial; the locked drawer it requires is physical. If it's a rule people follow, it's managerial; if it's an object that blocks access, it's physical.
A managerial control (also called administrative control) protects security through policies, procedures, and training rather than hardware or software.
Security awareness training and the workstation security policy are the two flagship examples named in EK 2.3.A.1 and 2.3.A.2.
Managerial controls work by shaping human behavior, which matters because people are often the weakest link in physical security.
On the exam, sort a given safeguard into managerial, physical, or technical; a policy is managerial, a lock is physical, a card reader is technical.
A workstation security policy can have tiers based on how sensitive the data handled at that workstation is.
It's a policy, procedure, or training program that guides how people protect a space, like security awareness training or a workstation security policy. It's covered in Unit 2, topic 2.3, under learning objective AP Cybersecurity 2.3.A.
Yes. The terms are used interchangeably to describe controls that work through rules and human behavior rather than physical barriers or technology.
A managerial control is a rule or training that tells people how to act, while a physical control is a tangible object like a lock, fence, or bollard. A clean desk policy is managerial; the locked cabinet it requires is physical.
Yes. EK 2.3.A.1 lists it as a managerial control because it educates employees to detect phishing, refuse to badge strangers in, and prevent device theft.
Because the best physical and technical controls fail if a person ignores them, like holding a secured door open for a stranger. Managerial controls close that human gap, which is why the CED layers all three control types together.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.