Fiveable

🔒AP Cybersecurity Unit 2 Review

QR code for AP Cybersecurity practice questions

2.3 Protecting Physical Spaces

2.3 Protecting Physical Spaces

Written by the Fiveable Content Team • Last updated June 2026
Verified for the 2027 exam
Verified for the 2027 examWritten by the Fiveable Content Team • Last updated June 2026
🔒AP Cybersecurity
Unit & Topic Study Guides
Pep mascot

TLDR

Protecting physical spaces means using two kinds of defenses: managerial controls (training and written policies that shape how people behave) and physical controls (fences, locks, card readers, vestibules, UPS units, and more that stop or slow an adversary). The goal is to keep attackers away from devices and data in the first place, because physical access often lets an adversary bypass technical protections like firewalls and encryption.

Pep mascot
more resources to help you study

Why This Matters for the AP Cybersecurity Exam

AP Cybersecurity builds your adversarial thinking, and physical security is where you practice it on something concrete. For this topic you should be able to identify managerial controls (security awareness training and workstation security policies) and recommend mitigation strategies for physical vulnerabilities.

The thinking pattern matters as much as the list of controls. When you look at a vulnerability, you decide how an adversary could exploit it and whether a control would prevent, detect, or correct the attack. You also weigh how serious the risk is against how much the mitigation costs. That prevent/detect/correct lens and that cost-versus-risk judgment carry through the rest of the course, so getting comfortable with it here pays off later.

Key Takeaways

  • Managerial controls are policies and training, not hardware. The two to know are security awareness training and the workstation security policy.
  • Security awareness training teaches employees to detect social engineering like phishing, to avoid badging others into restricted areas, and to prevent device theft.
  • A workstation security policy can have tiers based on data sensitivity and often requires locking devices, a clean desk, privacy screen filters, and surge protectors or a UPS.
  • Physical mitigations include fencing, gates, and bollards (deterrence), locks on doors, cabinets, and computers, card readers, access control vestibules and turnstiles, disabling USB ports, and power backups.
  • A UPS gives a device short-term battery power; a power generator keeps a whole building or set of critical systems running through longer outages.
  • Organizations prioritize controls by weighing the severity of the risk against the cost of the mitigation.

Managerial Controls for Physical Security

Managerial controls are the policies, rules, and training programs an organization puts in place to guide how people behave. They do not involve hardware or code. They shape habits. Two big ones show up here: security awareness training and workstation security policies.

Employee Security Awareness Training

People are often the weakest link in physical security. A locked door does not help if an employee holds it open for a stranger carrying coffee. That is why organizations run regular security awareness training to teach employees what to watch for and how to act.

Training usually covers three behaviors:

  • Detecting social engineering attempts like phishing. Social engineering is when an attacker tricks a person into giving up access or information. Phishing emails (fake messages pretending to be from your bank, IT department, or boss) are the most common version. Training helps employees spot red flags like urgent language, odd sender addresses, and suspicious links.
  • Not badging other people into restricted areas. This is sometimes called tailgating or piggybacking, where someone follows you through a secure door before it closes, often acting friendly or carrying a box so you feel rude stopping them. Training reinforces that every person needs to badge in themselves.
  • Preventing device theft. Laptops, phones, and external drives go missing from coffee shops, conference rooms, and unattended desks. Employees learn to lock devices away, use cable locks, and never leave equipment in a car.

The point of training is to make secure behavior automatic, so a receptionist actually questions the "delivery person" who cannot produce an ID.

Workstation Security Policy

A workstation security policy is a written set of rules that spells out how employees must protect their physical work area. Not every desk needs the same level of protection. A cashier's register handles different data than a doctor's terminal pulling up patient records, so policies often have tiers based on the type of data handled at a workstation.

Common requirements include:

  • Locking devices before walking away. Locking your screen takes one second and stops anyone from sitting down at your computer while you grab lunch.
  • Clean desk policy. Before leaving the workstation, employees clear away sensitive documents, sticky notes with passwords, USB drives, and anything else an attacker could photograph or pocket. Confidential material goes in a locked drawer or shredder.
  • Privacy screen filters. These are thin overlays that make a monitor look black unless you are sitting directly in front of it. They block shoulder surfing, which is when someone glances at your screen from the side to steal information. Useful on planes, in open offices, and at reception desks.
  • Surge protectors and UPS units. Connecting devices to a surge protector prevents damage from power spikes. A UPS goes further by providing battery backup, which keeps the machine running through short outages. More on UPS below.

Mitigation Strategies for Physical Vulnerabilities

When a cyber defender looks at a physical vulnerability, they work through a simple thought process: how could an adversary exploit this, and what control could prevent, detect, or correct the attack? Prevent stops it from happening, detect catches it while or after it happens, and correct fixes the damage. Most real-world setups layer all three.

The controls below are the ones to know.

Perimeter Controls: Fencing, Gates, and Bollards

Before an attacker can touch a building, they have to get near it. Outer-layer controls slow them down or push them away.

  • Fencing marks the boundary of the property and forces intruders to climb or cut through.
  • Gates control vehicle and foot traffic at entry points, often with a guard or badge reader.
  • Bollards are short, sturdy posts you see in front of storefronts and government buildings. They stop a vehicle from being driven through the front wall, which is a real concern for data centers and similar facilities.

These mostly work as deterrents. A determined attacker can climb a fence, but most will not bother if an easier target exists nearby.

Locks on Doors, Cabinets, and Computers

Locks are the classic preventive control. They show up in three places that matter:

  • Door locks keep people out of rooms they should not enter, like server closets, network equipment rooms, and executive offices.
  • Server cabinet locks protect the racks of servers themselves. Even if someone gets into the server room, a locked cabinet stops them from pulling a hard drive.
  • Computer locks include cable locks (a metal cable that tethers a laptop to a desk) and locking ports that physically block jacks.

Card Readers

A card reader is the badge scanner mounted next to a secure door. Employees tap or swipe their badge, the reader checks if that badge has permission, and the door unlocks if it does. Card readers matter for two reasons:

  1. They deny access to unauthorized badges. A stolen or expired badge stops working as soon as it is disabled in the system.
  2. They create a record of which badge entered which door at what time. If something is stolen from the server room at 2 a.m., the access log shows whose badge was used, which helps an investigation.

Access Control Vestibules and Turnstiles

These two controls solve the tailgating problem.

An access control vestibule is a small space with two doors. You badge in through the first door, it closes behind you, and only then does the second door unlock. Because only one person fits comfortably, it is hard to sneak someone in behind you.

A turnstile is the rotating arm or full-height gate you might see in transit stations or office lobbies. It lets one person through per badge swipe.

Both stop an authorized person from accidentally or intentionally letting an unauthorized person tag along into a restricted area.

Disabling USB Ports

USB ports are a large attack surface. A bad actor can plug in a flash drive loaded with malware. Many organizations disable USB ports through system settings, or physically block them with port blockers, so external drives cannot load malware onto a computer. Employees who need to transfer files use approved methods instead.

Uninterruptible Power Supplies and Generators

Power loss is a physical threat too. A sudden outage can corrupt data, crash servers mid-transaction, and lock employees out of systems during an emergency, which is exactly when an attacker might strike.

  • An uninterruptible power supply (UPS) is a battery backup that sits between the wall outlet and a device. When power cuts out, the UPS keeps the device running long enough to save work and shut down properly.
  • Power generators scale this up to a whole building or set of critical systems and can keep things running for longer outages.

The difference: a UPS buys you minutes, a generator buys you longer. Many serious facilities use both, with the UPS bridging the gap until the generator starts.

Prioritizing Which Controls to Implement

Organizations cannot afford every control everywhere. They make choices by weighing two things: the severity of the risk and the cost of the mitigation.

A small dental office probably does not need bollards and a vestibule. The risk of a vehicle ramming the front door is low, and the cost of bollards is high relative to the office's budget. That same office does need door locks, a clean desk policy, and a UPS on the computer holding patient records, because the risk to patient data is high and those controls are cheap.

A large data center is the opposite. The data is critical, the threats are sophisticated, and the budget is larger, so fencing, bollards, vestibules, card readers, disabled USB ports, and generators can all be worth it.

The general rule: match the mitigation to the risk. Spend more to protect high-value assets, and avoid overspending on overkill controls for low-risk situations. This balancing act is what cybersecurity professionals do when they design a physical security plan.

How to Use This on the AP Cybersecurity Exam

Identifying Controls

Be ready to tell managerial controls apart from physical controls. If a question describes a written rule or a training program, that is a managerial control (security awareness training, workstation security policy). If it describes hardware or equipment, that is physical (fence, bollard, lock, card reader, vestibule, turnstile, UPS, generator, disabled USB port).

Matching a Mitigation to a Vulnerability

When a scenario hands you a vulnerability, run the prevent/detect/correct check. Ask how an adversary would exploit the weakness, then pick a control that fits. A few quick links to remember:

  • Tailgating into a restricted area: access control vestibule or turnstile, plus training on not badging others in.
  • Stolen laptop or drive: cable locks, locked cabinets, theft-prevention training.
  • Malware from a flash drive: disable USB ports.
  • Power outage that could corrupt data: UPS for a device, generator for a building.
  • Shoulder surfing: privacy screen filter.
  • Knowing who accessed a door and when: card reader logs.

Common Trap

Watch for questions that ask you to balance cost against risk. The "best" control is not always the strongest one. The strongest answer matches the severity of the risk to a reasonable cost, so an expensive control protecting low-value, low-risk assets is usually the wrong choice.

Common Misconceptions

  • Physical security is separate from cybersecurity. It is a core layer. If an adversary gains physical access to a device, they can often bypass firewalls, passwords, and encryption, so the physical layer protects everything built on top of it.
  • Managerial controls and physical controls are the same. Managerial controls are policies and training that shape behavior. Physical controls are hardware. Training employees not to tailgate is managerial; installing a vestibule is physical.
  • A UPS and a generator do the same job. A UPS provides short-term battery power to a device. A generator supplies power at a larger scale to a building or set of critical devices for longer outages. Many facilities use both.
  • More controls always mean better security. Organizations prioritize based on the severity of the risk and the cost of the mitigation, so the right answer can be fewer, well-chosen controls rather than every possible one.
  • Card readers only lock doors. They also deny unauthorized badges and create a log of who entered where and when, which is valuable for investigations.
  • A clean desk policy is just about being tidy. It removes sensitive documents, passwords, and drives that an adversary could photograph or steal when a workstation is unattended.

Vocabulary

The following words are mentioned explicitly in the AP® course framework for this topic.

Term

Definition

access control vestibules

Secure entryways with multiple doors that prevent unauthorized individuals from entering a restricted area by ensuring only one door opens at a time.

adversary

An individual or entity that attempts to exploit vulnerabilities in systems, applications, or data to cause harm, steal information, or disrupt operations.

badging

The practice of using access credentials or badges to enter restricted areas; unauthorized badging refers to allowing others to enter without their own credentials.

bollards

Short, sturdy posts installed around a building to prevent vehicles from accessing restricted areas and deter physical attacks.

card readers

Devices that read employee badges to control access, record entry times, and deny access to unauthorized individuals.

clean desk policy

A security practice requiring employees to remove sensitive documents and materials from their workstations before leaving them unattended.

device theft

The unauthorized taking of computing devices or equipment that may contain sensitive organizational or personal data.

employee badges

Credentials used to identify authorized personnel and grant them access to restricted areas.

employee security awareness training

Educational programs that teach employees how to recognize security threats and contribute to organizational security through proper practices.

fencing

A physical barrier installed around a building to deter unauthorized access and control entry points.

gates

Controlled entry points in physical barriers that can be opened or closed to regulate access to a facility.

lock

Physical security devices that prevent unauthorized access to doors, server cabinets, and computers.

managerial controls

Security measures that provide rules, guidelines, policies, and procedures to specify what security should be in place, including password policies and incident response plans.

mitigation strategies

Actions and controls implemented to reduce, prevent, or manage the impact of security risks and vulnerabilities.

phishing

A social engineering attack that uses deceptive communications (typically emails) to trick users into revealing sensitive information or credentials.

physical security

Measures and controls designed to protect physical spaces, assets, and facilities from unauthorized access and threats.

physical vulnerabilities

Weaknesses in physical security that allow unauthorized access to devices, systems, or sensitive information in physical spaces.

power generators

Large-scale backup power systems that provide electricity to buildings or critical devices during power outages.

privacy screen filter

A physical barrier or filter applied to a display screen to prevent unauthorized viewing of information from angles other than directly in front of the screen.

security control

Measures or safeguards implemented to reduce the likelihood or impact of a risk.

social engineering attacks

Attacks that employ psychological tactics to manipulate users into revealing sensitive information, downloading malicious files, or clicking on malicious links.

surge protector

A device that protects electronic equipment from voltage spikes and power surges that could damage or destroy the devices.

turnstiles

Physical barriers that allow only one person to pass through at a time, preventing unauthorized individuals from following authorized personnel into restricted areas.

uninterruptible power supply

A backup power system that provides emergency power to devices during power outages to prevent data loss and allow safe shutdown.

uninterruptible power supply (UPS)

A backup power source that provides electricity to devices during a power outage to maintain system operation.

USB ports

Connection points on computers that can be disabled to prevent external drives from being connected and loading malware.

vulnerability

Weaknesses or flaws in systems, applications, or configurations that can be exploited by attackers to compromise security.

workstation security policy

An organizational policy that establishes measures and requirements to protect physical workplaces and the devices and information located there.

Frequently Asked Questions

What is the difference between managerial and physical controls in AP Cybersecurity 2.3?

Managerial controls are policies and training programs that shape how employees behave, such as security awareness training and workstation security policies. Physical controls are hardware-based measures like locks, fencing, card readers, and UPS units that physically restrict or deter access to devices and spaces.

What is an access control vestibule and why is it used?

An access control vestibule is a small entry space with two doors where the first door must close before the second one unlocks, allowing only one person through at a time. It prevents tailgating, which is when an unauthorized person follows an authorized employee into a restricted area.

What does a UPS do in cybersecurity and how is it different from a power generator?

An uninterruptible power supply (UPS) provides short-term battery backup to keep an individual device running through a brief power outage, giving users time to save work and shut down safely. A power generator operates at a larger scale, supplying power to a whole building or set of critical systems during longer outages.

What is a clean desk policy in AP Cybersecurity?

A clean desk policy requires employees to clear sensitive documents, removable drives, and other confidential materials from their workstation before leaving it unattended. It is part of a workstation security policy and helps prevent unauthorized individuals from viewing or taking sensitive information.

How do organizations decide which physical security controls to implement?

Organizations weigh the severity of each risk against the cost of the mitigation, prioritizing controls that protect high-value assets where the threat is most serious. A control that is expensive relative to the risk it addresses is generally not the best choice, so the goal is to match the strength of the mitigation to the actual level of risk.

Pep mascot
Upgrade your Fiveable account to print any study guide

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Click below to go to billing portal → update your plan → choose Yearly→ and select "Fiveable Share Plan". Only pay the difference

Plan is open to all students, teachers, parents, etc
Pep mascot
Upgrade your Fiveable account to export vocabulary

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Plan is open to all students, teachers, parents, etc
report an error
description

screenshots help us find and fix the issue faster (optional)

add screenshot