PY103.16 - PHYSICAL SECURITY MEASURES
Actual Exam 2026/2027: Comprehensive
Questions with Multiple Choices | Verified &
Revised Answers – Pass Guaranteed - A+ Graded
Section 1: Physical Security Principles & Risk Assessment (10 Questions)
Q1: Which principle of Crime Prevention Through Environmental Design (CPTED) involves
designing spaces to clearly define ownership and separate public from private areas?
A. Natural surveillance
B. Territorial reinforcement
C. Natural access control
D. Maintenance
Correct Answer: B [CORRECT]
Rationale: Territorial reinforcement uses physical design elements—fencing, landscaping,
signage, lighting, pavement changes—to clearly delineate ownership boundaries and create
psychological ownership. This discourages trespassing by making private spaces obvious.
Natural surveillance (A) enables observation; natural access control (C) guides movement;
maintenance (D) shows care and vigilance. Together, these four CPTED principles create
environments where crime is less likely to occur. ASIS International and the National Crime
Prevention Institute emphasize CPTED as foundational to modern physical security planning.
Q2: In the security risk assessment formula Risk = Threat × Vulnerability × Consequence, what
does "Consequence" represent?
A. The probability of an attack occurring
B. The severity of impact if the threat successfully exploits the vulnerability—measured in terms
of loss of life, economic impact, operational disruption, or reputational damage
C. The effectiveness of existing security measures
D. The frequency of security patrols
Correct Answer: B [CORRECT]
,2
Rationale: The risk formula (also expressed as R = T × V × C or R = T × V × I, where I =
Impact) quantifies security risk. Consequence (or Criticality/Impact) represents the magnitude of
adverse effects if an event occurs—casualties, financial loss, business continuity disruption,
regulatory penalties, or reputation harm. This is distinct from threat (intent and capability of
adversary) and vulnerability (weakness that could be exploited). Understanding all three
components allows proportional security investment. FEMA's Risk Assessment methodology
and ASIS standards require consequence analysis for critical infrastructure protection.
Q3: A facility is conducting a security survey. Which activity is part of the vulnerability
assessment phase?
A. Determining the organization's marketing strategy
B. Identifying weaknesses in physical protection systems, operational procedures, and personnel
practices that could be exploited by identified threats
C. Setting employee salary levels
D. Designing product packaging
Correct Answer: B [CORRECT]
Rationale: The vulnerability assessment systematically examines: physical security systems
(barriers, access control, detection); operational procedures (protocols, supervision,
maintenance); and personnel factors (training, awareness, screening) to identify exploitable
weaknesses. This follows threat identification and precedes risk determination and
countermeasure selection. Marketing (A), salaries (C), and packaging (D) are unrelated to
security assessment. The security survey process—planning, field survey, documentation,
analysis, and recommendations—is codified in ASIS Security Survey Guidelines and FEMA 452
(Risk Assessment for Commercial Buildings).
Q4: Which concept describes a security architecture that employs multiple layers of protective
measures so that if one layer is breached, others remain to prevent or delay adversary progress?
A. Single-point protection
B. Security in depth (layered defense)
C. Perimeter-only security
D. Open architecture
Correct Answer: B [CORRECT]
Rationale: Security in depth (defense in depth) creates concentric protective layers: outer
perimeter (property line); inner perimeter (building envelope); and interior spaces (rooms, vaults,
containers). Each layer provides deterrence, detection, delay, and response opportunities. This
,3
approach recognizes no single control is perfect and delays adversaries long enough for response
forces to intervene. Single-point protection (A) creates catastrophic failure risk; perimeter-only
(C) ignores interior threats; open architecture (D) is an IT concept, not physical security. Military
and nuclear security extensively use layered defense; commercial applications adapt this to
proportional risk levels.
Q5: Which of the following is NOT one of the four Ds of physical security?
A. Deterrence
B. Detection
C. Documentation
D. Delay
Correct Answer: C [CORRECT]
Rationale: The classic four Ds of physical security are: Deterrence (discourage attempted
intrusion); Detection (identify intrusion attempts); Delay (slow adversary progress); and
Response (interdict adversary or mitigate consequences). Documentation (C), while important
for incident management and legal purposes, is not one of the core functional objectives. These
four Ds guide security system design—effective physical security requires all four working in
concert. Deterrence without detection creates false confidence; detection without delay or
response merely documents failure; delay without response is futile.
Q6: [Security Scenario] A corporate headquarters is located in an area with moderate crime,
houses sensitive intellectual property, and has experienced two attempted break-ins in the past
year. Using the risk assessment methodology, which factor should most influence the security
countermeasure budget allocation?
A. The company's stock price
B. The criticality of assets (intellectual property value), combined threat-vulnerability analysis
showing demonstrated adversary interest, and potential business impact of successful intrusion
C. The CEO's personal preferences for security aesthetics
D. The color scheme of the building exterior
Correct Answer: B [CORRECT]
Rationale: Risk-based security investment requires: asset valuation (what needs protection);
threat assessment (who might attack, with what capabilities, and their intent); vulnerability
analysis (weaknesses that could be exploited); and consequence evaluation (impact of successful
attack). The attempted break-ins demonstrate actual threat activity; intellectual property
represents high-value assets; and business impact includes competitive disadvantage, regulatory
, 4
issues, and reputational harm. Stock price (A) is volatile and unrelated; CEO preferences (C)
should inform but not override risk analysis; color scheme (D) is irrelevant. ASIS standards
emphasize quantitative and qualitative risk analysis for justifying security expenditures.
Q7: Which CPTED principle is demonstrated by placing windows facing parking areas and
walkways to enable occupants and passersby to observe activity?
A. Natural access control
B. Natural surveillance
C. Territorial reinforcement
D. Maintenance
Correct Answer: B [CORRECT]
Rationale: Natural surveillance increases visibility of potential offenders by designing spaces to
maximize legitimate observation opportunities—windows overlooking spaces, lighting
eliminating shadows, landscaping maintaining sightlines, and activity generators bringing "eyes
on the street." This creates informal social control and increases perceived risk for potential
offenders. Access control (A) guides movement; territoriality (C) defines ownership;
maintenance (D) shows care. Research by Jane Jacobs, Oscar Newman (defensible space), and
subsequent CPTED practitioners demonstrates that natural surveillance is among the most
effective crime prevention strategies.
Q8: In security planning, the "criticality analysis" component of risk assessment prioritizes
assets based on:
A. Their physical size and weight
B. Their value to organizational mission and the impact of their loss—operational, financial,
regulatory, and reputational consequences
C. Their color and appearance
D. Their age and depreciation schedule
Correct Answer: B [CORRECT]
Rationale: Criticality analysis evaluates assets' importance to organizational mission continuity
and the severity of consequences if compromised. This includes: operational impact (can the
organization function?); financial impact (direct loss, recovery costs, liability); regulatory impact
(compliance violations, penalties); and reputational impact (customer trust, brand value). This
prioritization ensures proportional protection—highest criticality assets receive strongest
protection within budget constraints. Physical characteristics (A, C) and accounting values (D)
don't reflect true security significance. FEMA's Threat and Hazard Identification and Risk