In AP Cybersecurity, a physical vulnerability is a weakness in the physical environment of an asset (like an unlocked server room or a propped-open door) that an adversary can exploit to compromise data, systems, or hardware.
A physical vulnerability is any weakness in the real-world, physical setup around an asset that lets an adversary get to it. Think unlocked doors, exposed network cables, a server room anyone can walk into, or a laptop left out on a desk. Cybersecurity isn't only about software and passwords. If someone can physically touch a machine, plug in a USB drive, or steal a hard drive, all the digital protections in the world can be bypassed.
In the CED's risk framework, risk happens when a threat can exploit a vulnerability to compromise an asset (EK 2.1.D.1). A physical vulnerability is one flavor of that vulnerability. Assets aren't just data and software. The CED specifically lists physical property and digital infrastructure as assets worth protecting (EK 2.1.D.2). That's why physical weaknesses count, because the hardware holding your data is itself an asset, and the building it sits in is part of the attack surface.
This lives in Unit 2: Securing Spaces, under Topic 2.1 Cyber Foundations. It supports the risk assessment objective (AP Cybersecurity 2.1.D), where you weigh the likelihood and severity of an attack against a specific vulnerability, and the security controls objective (AP Cybersecurity 2.1.F), since physical controls (locks, badges, cameras) are a real category of defense. It also connects to defense in depth (AP Cybersecurity 2.1.G), because physical security is one of the layers that protects data when other layers fail. The big-picture theme: securing a system means securing everything around it, not just the code.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryRisk Assessment and the Threat-Vulnerability-Asset Chain (Unit 2)
A physical vulnerability only becomes risk when a threat can reach it and an asset is on the line. An unlocked server room is harmless until an adversary walks through it to steal hardware, which is exactly the likelihood-plus-severity equation you assess in EK 2.1.D.3.
Security Controls and Defense in Depth (Unit 2)
Physical controls like locks, badge readers, and cameras are one layer of a layered defense. When a firewall gets bypassed, a locked server cage might still stop the attacker, which is the whole point of defense in depth (EK 2.1.G.3).
Insider Adversaries and Social Engineering (Unit 2)
Insiders already have legitimate physical access (EK 2.1.B.3), and social engineers can talk their way past a front desk using pretexting or authority (EK 2.1.A.2, 2.1.A.3). Physical vulnerabilities are often exploited by people, not malware, so human threats and physical weaknesses go hand in hand.
Expect physical vulnerability to show up inside the risk assessment process rather than as a standalone topic. MCQ stems may describe a scenario (a propped-open door, an unattended workstation, a stolen laptop) and ask you to identify it as a vulnerability, classify the type of security control that addresses it, or explain how defense in depth still protects the asset. On a free-response prompt about securing an organization, you can earn points by naming a physical control alongside digital ones to show you understand layered defense. The move to practice: distinguish a physical vulnerability from a digital one, then match it to the right control.
A physical vulnerability is a weakness in the real-world environment, like an unlocked door or an exposed cable. A digital vulnerability is a weakness in software, configuration, or networks, like an unpatched system or a weak password. Both fit the same risk equation, but you fix them with different controls: locks and badges versus patches and firewalls.
A physical vulnerability is a weakness in the physical environment of an asset, such as an unlocked server room or an exposed network port, that an adversary can exploit.
Physical property and digital infrastructure are listed as assets in the CED (EK 2.1.D.2), so the hardware and the building protecting your data both matter.
Risk only exists when a threat can reach a vulnerability and an asset is at stake, so a physical weakness becomes risk only when someone can actually exploit it.
Physical controls like locks, badges, and cameras are one layer of a defense-in-depth strategy and can stop an attacker even after digital defenses fail.
Insiders and social engineers often exploit physical vulnerabilities directly because they can gain physical access without ever touching code.
It's a weakness in the physical environment around an asset, like an unlocked door, an unattended laptop, or exposed cabling, that an adversary can exploit to reach data or hardware. It fits the CED's risk framework where a threat exploits a vulnerability to compromise an asset (EK 2.1.D.1).
Yes. If someone can physically touch a machine, steal a drive, or plug in a USB device, they can bypass digital protections entirely. The CED counts physical property and digital infrastructure as assets (EK 2.1.D.2), which is why physical controls are a recognized security control type.
A physical vulnerability is a weakness in the real-world setup, like an open door or stolen hardware, while a digital vulnerability is a software or network weakness, like an unpatched system. You address physical ones with locks, badges, and cameras and digital ones with patches and firewalls.
Defense in depth uses multiple layers so that when one control is bypassed, another still protects the asset (EK 2.1.G.3). Physical security is one of those layers, so a locked server cage might stop an attacker who already got past the firewall.
Often insiders, who already have legitimate physical access (EK 2.1.B.3), and social engineers, who use pretexting or authority to talk their way into a building (EK 2.1.A.2, 2.1.A.3). Physical weaknesses are frequently exploited by people rather than malware.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.