AP exam review verified for 2027

AP Cybersecurity Unit 2 Review: Securing Spaces

Review AP Cybersecurity Unit 2 to understand how adversaries breach physical spaces and how defenders use managerial, physical, and detection controls to stop them. This unit builds the adversarial thinking skills you will apply across every later unit in the course.

Use the topic guides, key terms, and practice questions available for this unit to work through each concept before your exam.

What is AP Cybersecurity unit 2?

What is AP Cybersecurity Unit 2? Unit 2 asks you to think like both an attacker and a defender in a physical space. Adversaries who reach a device in person can often bypass firewalls, encryption, and other technical controls entirely, so physical security is not optional. This unit gives you the vocabulary and reasoning framework to identify weaknesses, evaluate threats, and choose controls that prevent, detect, or correct physical breaches.

Unit 2 covers social engineering, adversary types, cyberattack phases, risk assessment, physical attacks such as tailgating and dumpster diving, and the managerial and physical controls that protect and monitor a space.

Social engineering and adversaries

Social engineers exploit psychology rather than technology. Tactics include pretexting, authority, urgency, scarcity, and familiarity. Adversary types range from low-skilled script kiddies to insider threats and cyberterrorists, each with different motivations and capabilities.

Physical attacks and risk

Physical attacks include piggybacking, tailgating, shoulder surfing, dumpster diving, and card cloning. Risk is assessed by weighing the likelihood of an exploit against the severity of damage. Organizations then choose to avoid, transfer, mitigate, or accept each risk.

Controls and detection

Protecting a space uses managerial controls like security awareness training and workstation policies, and physical controls like fencing, locks, card readers, and access control vestibules. Detection relies on cameras, motion sensors, security guards, and employees, each placed where they provide the most coverage.

Defense in depth starts with the physical layer

A single control is never enough. Defense in depth layers human, physical, network, device, application, and data protections so that when one control fails, another limits the damage. In Unit 2, that principle plays out in the physical space: a fence deters entry, a card reader logs and restricts it, a camera records it, and a motion sensor triggers an alert. Each layer compensates for the weaknesses of the others.

AP Cybersecurity unit 2 topics

2.1

Cyber Foundations

Covers social engineering tactics (pretexting, authority, urgency, scarcity, familiarity, consensus, intimidation), adversary types (script kiddies, hacktivists, insider threats, cyberterrorists), the six phases of a cyberattack, risk assessment using likelihood and severity, the four risk management strategies, security control types, and defense in depth.

open guide
2.2

Physical Vulnerabilities and Attacks

Covers common physical attacks including piggybacking, tailgating, shoulder surfing, dumpster diving, and card cloning; how threats exploit physical vulnerabilities such as power disruption and unauthorized access; and how to assess and document risk levels from physical weaknesses in a space.

open guide
2.3

Protecting Physical Spaces

Covers managerial controls like security awareness training, workstation security policies, and clean desk policies, as well as physical controls including fencing, bollards, locks, card readers, access control vestibules, turnstiles, disabled USB ports, and uninterruptible power supplies.

open guide
2.4

Detecting Physical Attacks

Covers detection controls including cameras, security guards, motion sensors, and alert employees; how to determine effective placement for each control based on traffic patterns and coverage needs; and how to apply detection techniques such as pairing motion sensors with cameras and reviewing door-open logs to identify tailgating.

open guide

Unit 2 review notes

2.1

Social Engineering, Adversaries, and Cyberattack Phases

Social engineering manipulates people psychologically rather than exploiting technical flaws. Adversaries use tactics like pretexting to create a believable cover story, authority to impersonate someone with power, urgency to force quick decisions, and scarcity to suggest limited time or resources. Familiarity and consensus round out the toolkit by building false trust or social pressure. Adversary types matter because they shape the likely threat: script kiddies use existing tools with little skill, hacktivists are driven by causes, insider threats already have legitimate access, and cyberterrorists target critical infrastructure. Cyberattacks move through phases: reconnaissance using open source intelligence (OSINT), initial access often via social engineering, persistence through command and control (C2), lateral movement to reach more systems, taking action on objectives, and evading detection.

  • Pretexting: Creating a believable false reason to contact a target, such as posing as IT support to request credentials.
  • Urgency: Pressuring a target with a deadline so they act before thinking critically, such as claiming an account will be locked in minutes.
  • Insider threat: An adversary with legitimate credentials and access who may be motivated by greed, revenge, or recruitment by outside parties.
  • Reconnaissance: The first attack phase, where adversaries gather information about a target using OSINT and other freely available sources.
  • Persistence: Maintaining access after initial entry, often through C2 protocols, so the adversary does not need to regain a foothold.
Can you name four social engineering tactics and explain what psychological lever each one pulls? Can you place reconnaissance, initial access, and persistence in the correct order and describe what happens in each phase?
Adversary TypePrimary MotivationSkill LevelExample Target
Script kiddieGreed or recognitionLowAny accessible system
HacktivistSocial or political causeVariesOrganizations they oppose
Insider threatGreed or revengeHigh (has access)Employer's data or systems
CyberterroristPolitics or ideologyHighPower grids, water plants
2.1

Risk Assessment, Risk Management, and Security Controls

Risk exists when a threat can exploit a vulnerability to harm an asset. Assets include data, physical property, intellectual property, reputation, and digital infrastructure. Risk assessment weighs two factors: the likelihood that a vulnerability will be exploited and the severity of the resulting damage. Likelihood depends on target value, exploit difficulty, and adversary motivation. Once assessed, organizations choose one of four responses: avoid the risky activity, transfer the risk to an insurer or third party, mitigate it with security controls, or accept the residual risk that remains after other strategies are applied. Security controls are classified by what they protect (CIA triad: confidentiality, integrity, availability) and by type: physical controls like locks and cameras, technical controls like firewalls and encryption, and managerial controls like policies and training. Defense in depth layers all three types so no single failure exposes the whole system.

  • CIA triad: Confidentiality (only authorized access), integrity (data is accurate and unaltered), and availability (systems are accessible when needed).
  • Risk mitigation: Implementing security controls to reduce the likelihood or impact of a risk.
  • Residual risk: The risk that remains after avoidance, transference, and mitigation have been applied; the level an organization accepts.
  • Defense in depth: A layered security strategy using multiple control types so that bypassing one layer does not expose the entire system.
  • Managerial control: Policies, procedures, and training that govern how people behave to support security, such as an acceptable use policy.
Given a scenario, can you identify the asset, the threat, and the vulnerability? Can you recommend whether to avoid, transfer, mitigate, or accept a described risk and justify your choice?
Risk ResponseWhat It DoesWhen It Applies
AvoidStops the risky activity entirelyActivity is not essential to the mission
TransferShifts financial burden to insurer or third partyRisk cannot be eliminated but cost can be shared
MitigateAdds controls to reduce likelihood or impactActivity must continue; controls are feasible
AcceptAcknowledges residual risk without further actionRemaining risk is within tolerable limits
2.2

Physical Attacks and Vulnerabi­lities

Physical attacks let adversaries reach devices directly, often bypassing technical controls entirely. Piggybacking uses social engineering to get an authorized person to grant access, such as holding a door open for someone carrying boxes. Tailgating is similar but the authorized person is unaware they are being followed. Shoulder surfing means watching a user enter credentials or view sensitive data. Dumpster diving recovers discarded documents or hardware that contain useful information. Card cloning copies the data from an access card to create a duplicate. Physical vulnerabilities arise when sensitive systems are in spaces with insufficient access controls. High-risk scenarios include an unlocked server room in an unmonitored hallway. Moderate-risk scenarios include a reception computer with exposed USB ports connected to the internal network. Natural disasters also count as threats because they can destroy hardware and disrupt services.

  • Piggybacking: An adversary uses social engineering to convince an authorized person to grant them access to a restricted area.
  • Tailgating: An adversary follows an authorized person into a restricted area without that person's knowledge.
  • Shoulder surfing: Watching a user enter credentials or view sensitive information to capture that data.
  • Dumpster diving: Searching discarded materials for documents, hardware, or data that can be used in an attack.
  • Card cloning: Copying the data stored on an access card to create a duplicate that can be used to gain unauthorized entry.
Can you distinguish piggybacking from tailgating? Can you classify a described physical scenario as high, moderate, or low risk and explain what makes it that level?
AttackRequires Social Engineering?Authorized Person Aware?
PiggybackingYesYes
TailgatingNoNo
Shoulder surfingNoUsually not
Dumpster divingNoN/A
Card cloningSometimesNo
2.3

Protecting Physical Spaces

Protecting a physical space requires both managerial and physical controls working together. Managerial controls include security awareness training (teaching employees to spot social engineering, not badge others in, and prevent device theft), workstation security policies (locking screens when stepping away, clean desk policies, privacy screen filters), acceptable use policies, and software installation policies. Physical controls create barriers and checkpoints: fencing and bollards deter vehicle and foot access at the perimeter, locks on doors and server cabinets prevent unauthorized entry, card readers log and restrict badge access, access control vestibules and turnstiles stop piggybacking by allowing only one person through at a time, and disabling USB ports prevents unauthorized data transfer. Uninterruptible power supplies (UPS) protect against power disruption attacks by keeping systems running during outages.

  • Clean desk policy: A workstation rule requiring employees to clear sensitive documents from their workspace before leaving it unattended.
  • Access control vestibule: A small entry chamber that allows only one person through at a time, preventing piggybacking and tailgating.
  • Bollard: A physical post installed around a building perimeter to prevent vehicles from ramming into the structure.
  • Badge access: An electronic system where employees use credential-encoded cards to unlock restricted areas, creating an entry log.
  • Workstation security policy: An organizational policy specifying how employees must secure their physical workspace, including screen locking and clean desk requirements.
Can you match a described physical vulnerability to a specific managerial or physical control that mitigates it? Can you explain why an access control vestibule is more effective than a standard locked door for preventing piggybacking?
2.4

Detecting Physical Attacks and Placement Strategies

Detection controls identify a breach after or as it happens. Cameras provide a visual record and can be paired with facial recognition to alert defenders when an unauthorized person enters. Security guards can observe and respond in real time. Motion sensors alert security to unexpected movement but generate false alarms in high-traffic areas, so they work best in low-traffic spaces like server rooms. Employees are often the first to notice an unfamiliar person and should know how to report it. Placement matters as much as the control itself. Cameras should cover all ingress and egress points, be angled to capture useful detail, and be positioned where they cannot easily be tampered with. Motion sensors belong in areas where movement is unexpected. Locks should secure every entry to a sensitive area, and for the most sensitive spaces, an access control vestibule adds a second barrier. Door sensors that log how long an entry stays open can flag potential tailgating when a door is open longer than a single badge swipe normally requires.

  • Surveillance camera: A camera that records and monitors activity in a space; most effective when footage is actively monitored and stored for review.
  • Motion sensor: A device that detects movement and triggers an alert; most useful in low-traffic areas to reduce false alarms.
  • Security guard: A human control that monitors an area and can respond immediately to detected suspicious activity.
  • Detective control: A security control that identifies and records a breach or suspicious event, such as a camera or motion sensor.
  • Preventative control: A security control that stops an attack before it succeeds, such as a locked door or access control vestibule.
Can you explain why a motion sensor should not be placed in a busy hallway? Can you describe how pairing a motion sensor with a camera improves detection compared to using either control alone?
Detection ControlBest PlacementWorks Best When Paired With
CameraIngress/egress points, server roomsFacial recognition software, security guard monitoring
Motion sensorLow-traffic areas, server roomsCamera to visually verify the alert
Security guardEntry points, reception areasCamera feeds and badge access logs
Door sensorAll restricted-area entriesBadge access logs to detect tailgating

Practice AP Cybersecurity unit 2 questions

Try AP-style multiple-choice questions and written prompts after you review the notes.

Example AP-style MCQs

open all practice
MCQ

AP-style practice question

Question

A security analyst reviews an incident report showing that an unauthorized person entered a server room by walking in directly behind a badged employee. Which managerial control, if properly enforced, would most directly address the employee behavior that enabled this breach?

Security awareness training that teaches employees never to badge others into restricted areas

A workstation security policy that requires locking devices before leaving them unattended

A workstation security policy that mandates a clean desk before employees leave their workstations

Security awareness training that teaches employees to detect phishing emails and suspicious links

MCQ

AP-style practice question

Question

A cybersecurity analyst is investigating a suspected physical intrusion at a research laboratory. Badge logs show that an authorized researcher badged into the genomics data room at 11:47 p.m., and the door-open sensor recorded the door remaining open for 38 seconds—more than six times the 6-second baseline. Camera footage from the hallway outside the room shows two individuals entering the doorway at 11:47 p.m. The researcher claims to have entered alone. Evaluating all three data sources together, what conclusion is best supported?

A tailgating incident likely occurred, with an unauthorized individual using the researcher's badge event to gain undetected entry into the genomics data room

The badge reader malfunctioned and recorded a false entry event, causing the door sensor to log an inaccurate open duration for that timestamp

The researcher propped the door open intentionally to allow a colleague with authorized access to enter without badging, which is a policy violation but not a physical attack

The camera footage is unreliable because hallway cameras cannot confirm identity, so only the badge log should be used to determine whether a breach occurred

Key terms

TermDefinition
CIA triadThe three core security principles: confidentiality (restrict access to authorized users), integrity (keep data accurate and unaltered), and availability (keep systems accessible when needed).
defense in depthA layered security strategy that uses multiple control types so that when one layer is bypassed, others still limit damage.
pretextingA social engineering tactic where an adversary creates a believable false reason to contact a target, such as posing as IT support.
riskThe potential for harm that exists when a threat can exploit a vulnerability to compromise an asset.
residual riskThe risk that remains after an organization has applied avoidance, transference, and mitigation strategies; the level the organization accepts.
piggybackingA physical attack where an adversary uses social engineering to get an authorized person to knowingly grant them access to a restricted area.
tailgatingA physical attack where an adversary follows an authorized person into a restricted area without that person's awareness.
shoulder surfingWatching a user enter credentials or view sensitive data to capture that information.
dumpster divingSearching discarded materials for documents, hardware, or data useful to an attacker.
access control vestibuleAn entry chamber that allows only one person through at a time, preventing piggybacking and tailgating.
managerial controlA policy, procedure, or training program that shapes human behavior to support security, such as a workstation security policy or acceptable use policy.
physical controlA tangible security measure in the physical space, such as a lock, fence, bollard, or camera.
surveillance cameraA camera that records and monitors a space; most effective when footage is actively monitored and stored for post-incident review.
motion sensorA device that detects movement and triggers an alert; most effective in low-traffic areas where any movement is unexpected.
open source intelligenceFreely available information gathered during the reconnaissance phase of an attack to learn about a target.

Common unit 2 mistakes

Confusing piggybacking with tailgating

Piggybacking requires social engineering: the authorized person knowingly (if mistakenly) lets the adversary in. Tailgating means the authorized person has no idea they are being followed. The distinction matters when identifying which attack occurred in a scenario.

Treating risk acceptance as doing nothing

Risk acceptance is a deliberate decision made after avoidance, transference, and mitigation have been considered. It acknowledges that absolute security is unattainable and that the residual risk falls within tolerable limits. It is not the same as ignoring a risk.

Placing motion sensors in high-traffic areas

Motion sensors in busy hallways generate constant false alarms, which causes staff to stop responding seriously to alerts. Motion sensors are most effective in low-traffic spaces like server rooms where any movement is unexpected.

Assuming technical controls make physical controls unnecessary

Physical access to a device often lets an adversary bypass firewalls, encryption, and other technical controls entirely. Defense in depth requires physical controls as a foundational layer, not an optional add-on.

Mixing up control types when answering scenario questions

A workstation security policy is a managerial control. A lock is a physical control. A firewall is a technical control. Exam scenarios often ask you to identify the type of control being described or to recommend the correct type for a given situation.

How this unit shows up on the AP exam

Scenario-based control selection

AP Cybersecurity exam questions frequently describe a physical space or incident and ask you to identify the attack that occurred, classify the vulnerability, or recommend a specific control. Practice reading a scenario and quickly naming the attack type (piggybacking vs. tailgating), the control type (managerial vs. physical vs. technical), and the CIA principle at risk.

Risk assessment reasoning

Expect questions that ask you to evaluate a described risk using likelihood and severity, then justify a risk response. You may need to explain why mitigation is preferred over acceptance in one scenario, or why avoidance is not possible when an activity is central to an organization's mission.

Placement and defense-in-depth justification

Questions may present a building diagram or description and ask where to place cameras, motion sensors, or locks, and why. Strong answers explain the reasoning behind placement choices, such as why a motion sensor in a server room is more effective than one in a lobby, and how layering controls creates resilience when one is bypassed.

Final unit 2 review checklist

  • Identify all seven social engineering tacticsName and explain pretexting, authority, intimidation, consensus, scarcity, familiarity, and urgency. For each, describe the psychological lever the adversary is pulling.
  • Classify adversary types and attack phasesMatch each adversary type to its motivation and skill level. Place reconnaissance, initial access, persistence, lateral movement, taking action, and evading detection in order and describe what happens in each phase.
  • Apply the risk assessment processGiven a scenario, identify the asset, threat, and vulnerability. Estimate likelihood and severity, then recommend one of the four risk responses (avoid, transfer, mitigate, accept) with a justification.
  • Distinguish physical attacks from one anotherExplain the difference between piggybacking and tailgating, and between shoulder surfing and dumpster diving. Know which attacks rely on social engineering and which do not.
  • Match controls to vulnerabilitiesFor a described physical vulnerability, select an appropriate managerial control (training, workstation policy) or physical control (lock, vestibule, bollard, card reader) and explain how it prevents, detects, or corrects the threat.
  • Justify detection control placementExplain why cameras belong at ingress and egress points, why motion sensors should avoid high-traffic areas, and how pairing a motion sensor with a camera reduces false-alarm problems.
  • Explain defense in depth using Unit 2 examplesDescribe how layering a perimeter fence, a card reader, a camera, and a motion sensor creates resilience so that bypassing one control does not expose the entire space.

How to study unit 2

Step 1: Build your social engineering and adversary vocabularyRead the Topic 2.1 guide and list all seven social engineering tactics with a one-sentence example for each. Then create a table of adversary types with their motivations and skill levels. Check your understanding against the key terms available for this unit.
Step 2: Work through risk assessment with practice scenariosReview the risk assessment process from Topic 2.1: asset, threat, vulnerability, likelihood, severity, and the four response options. Write out a risk assessment for two or three physical scenarios, such as an unlocked server room or a reception computer with exposed USB ports, and choose a risk response for each.
Step 3: Identify and distinguish physical attacksReview Topic 2.2 and practice telling piggybacking, tailgating, shoulder surfing, dumpster diving, and card cloning apart. Use the comparison table in your notes to check which attacks require social engineering and whether the authorized person is aware.
Step 4: Match controls to vulnerabilitiesReview Topic 2.3 and for each physical attack or vulnerability you studied, write down one managerial control and one physical control that mitigates it. Practice explaining why an access control vestibule stops piggybacking better than a standard locked door.
Step 5: Practice detection placement reasoningReview Topic 2.4 and work through placement scenarios: where would you put cameras, motion sensors, and locks in a described building layout and why? Use the practice questions available for this unit to test your reasoning on detection and placement problems.

More ways to review

Topic study guides

Open the individual guides for Unit 2 when you want a closer review of one topic.

browse guides

Frequently Asked Questions

What topics are covered in AP Cyber Unit 2?

AP Cyber Unit 2: Securing Spaces covers 4 topics: 2.1 Cyber Foundations, 2.2 Physical Vulnerabilities and Attacks, 2.3 Protecting Physical Spaces, and 2.4 Detecting Physical Attacks. The unit builds adversarial thinking by focusing on how physical access to a device can bypass technical controls, and how to select and place security devices to stop it. See everything organized at /ap-cybersecurity/unit-2.

What's on the AP Cyber Unit 2 progress check (MCQ and FRQ)?

The AP Cyber Unit 2 progress check pulls questions from all four unit topics: Cyber Foundations, Physical Vulnerabilities and Attacks, Protecting Physical Spaces, and Detecting Physical Attacks. The MCQ portion tests recognition of attack types and mitigation strategies. The FRQ portion asks you to analyze a physical scenario, identify vulnerabilities, and justify security device placement. For matched practice questions that mirror the progress check format, visit /ap-cybersecurity/unit-2.

How do I practice AP Cyber Unit 2 FRQs?

AP Cyber Unit 2 FRQs typically draw from Physical Vulnerabilities and Attacks (2.2), Protecting Physical Spaces (2.3), and Detecting Physical Attacks (2.4). These questions give you a physical location scenario and ask you to identify threats, select appropriate security devices, and explain placement decisions. Practice by writing out your reasoning step by step, then checking whether you named a specific vulnerability, a specific mitigation, and a justification. Find practice prompts and worked examples at /ap-cybersecurity/unit-2.

Where can I find AP Cyber Unit 2 practice questions?

The best place to find AP Cyber Unit 2 practice questions, including multiple-choice and practice test sets, is /ap-cybersecurity/unit-2. That page has MCQs covering all 4 topics: Cyber Foundations, Physical Vulnerabilities and Attacks, Protecting Physical Spaces, and Detecting Physical Attacks. Working through unit-specific MCQs before a full practice test helps you lock in the physical security concepts before mixing them with other units.

How should I study AP Cyber Unit 2?

Start with topic 2.1 Cyber Foundations to get the vocabulary straight, then move through 2.2 Physical Vulnerabilities and Attacks so you can name specific attack types. From there, study 2.3 Protecting Physical Spaces and 2.4 Detecting Physical Attacks together, since they pair threat identification with the right countermeasures. A strong study habit for this unit is sketching a physical floor plan and labeling where each attack could happen and which device would stop or detect it. That kind of scenario practice is exactly what the FRQ asks you to do. Organized study materials for all four topics are at /ap-cybersecurity/unit-2.

Ready to review Unit 2?Start with the notes, check the topic cards, and use the practice or resource links when they are available for this course.