ASIS ASIS-PSP Physical Security Professional (PSP) Exam Exam Practice Test

Magnetometers, used in security screening for detecting metallic objects, typically operate using two main methods:

Continuous-wave: Emits a constant electromagnetic field to detect disruptions caused by metal.

Pulsed-field: Emits bursts of energy and analyzes the return signals to identify metal objects.

These methods allow both walk-through and handheld devices to detect ferrous and non-ferrous metals.

A, C, and D include terms not applicable to standard magnetometer operation.

Business continuity involves two core stages:

Business Recovery – restoring critical business functions quickly after a disruption.

Business Resumption – full restoration of all business operations to normal levels over the long term.

This sequence ensures operational stability in the short term and complete restoration in the long term.

Risk avoidance means eliminating a threat entirely by discontinuing the activity or removing the condition that creates the risk. For example, if transporting valuable goods through a high-risk area poses too much danger, a company might choose to stop shipments through that route altogether.

References from PSP: Risk Treatment Options – ASIS POA; PSP Study Guide – Security Strategy Planning

In loss prevention, the “common denominator” refers to a recurring factor or condition that presents an opportunity for theft, such as lack of supervision, poorly designed procedures, or inadequate physical security. Identifying and addressing these common denominators can significantly reduce incidents of pilferage or loss.

Low deterrence (A) is a result, not a proactive factor.

Confusion (B) may contribute but isn’t the primary concept here.

Reduced pilfering (D) is an outcome, not an ingredient.

Material Safety Data Sheets (MSDS), now referred to as Safety Data Sheets (SDS) under the Globally Harmonized System (GHS), provide detailed information about chemicals, including hazards, handling procedures, and emergency measures. OSHA regulations require employers to maintain these sheets for all hazardous substances in the workplace.

Asset Standard Act (A), Procurement Asset Safety Program (C), and Product Stability Program (D) are not applicable to this requirement.

A pre-bid conference allows all prospective bidders to gain a clear and consistent understanding of the project requirements, including walkthroughs of affected facilities. This helps ensure uniformity in bid proposals and reduces ambiguity or scope misinterpretation.

A (Engineering evaluation) is internal and technical.

C (Invitation for bid) is a document, not an event.

D (Procurement meeting) is not a standard pre-bid process phase.

Fidelity bonds specifically cover losses resulting from dishonest acts committed by employees, such as theft, fraud, or embezzlement. These are commonly used in financial institutions and other sectors where employees handle cash or sensitive assets.

The accounting or finance department typically has oversight of all monetary assets, including cash flow, budgets, payroll, and financial reporting. This central role makes it particularly vulnerable to internal fraud, embezzlement, and cybercrime. Security measures here often include both physical controls and procedural checks (e.g., audits, access controls, separation of duties).

References from PSP: Organizational Vulnerability – ASIS POA; PSP Study Guide – Internal Threats and Crime Risks

A guiding principle of business continuity planning is flexibility. While the plan provides structure and direction, every crisis is unique and may require adjustments. A rigid plan may fail if it doesn ' t account for variables in real-time conditions, making adaptability a critical success factor.

A (remote site capability) may be included, but it is not a universal requirement.

C is unrealistic—it ' s not feasible to have complete instructions for every possible scenario.

D (outline format) is too minimalistic and reactive rather than proactive.

The Edison Electric Institute, in collaboration with the North American Electric Reliability Council (NERC) and the Department of Energy (DOE), developed security guidelines for the protection of the electrical grid. One of the primary components of these guidelines is performing a vulnerability/risk analysis to identify potential weaknesses and assess the impact of threats to the infrastructure.

While threat response and cyber scenarios are part of broader planning, vulnerability/risk analysis is a foundational element.

Emergency detection is important but not a specifically highlighted part of the referenced guidelines.

Insurance is not a substitute for a security program. It only compensates for loss after it occurs and does not prevent incidents. A comprehensive security program includes preventive measures such as access control, surveillance, personnel training, and emergency planning, which work in tandem with insurance as part of a broader risk management strategy.

References from PSP: ASIS POA – Insurance vs. Security Controls; PSP Study Guide – Prevention vs. Compensation

Comprehensive Detailed Explanation:

Nuisance alarm rate is a measure of system reliability and is calculated by tracking the number of false or unwanted alarms over a specified time. This metric is crucial for tuning sensor performance and reducing unnecessary responses.

A, B, and C provide insights but are not standard methods of calculating nuisance alarm rate.

The correct answer is A. Humans.

In the ASIS PSP Body of Knowledge, asset identification is part of Domain One: Physical Security Assessment, where the security professional must identify assets to determine their value, criticality, and loss impact. The PSP Body of Knowledge specifically includes knowledge of the nature and types of assets, including tangible and intangible assets.

A tangible asset is an asset that has a physical form or physical presence. Humans/people are tangible because they physically exist and can be directly protected through physical security measures such as access control, emergency response, life safety systems, barriers, screening, and security staffing.

The other choices are not the best examples of tangible assets:

B. Information is generally treated as an intangible asset, although it may be stored on physical media.

C. Reputation is an intangible organizational asset.

D. Trademarks are intellectual property and are intangible assets.

ASIS also describes the PSP credential as related to protecting an organization’s assets, including people, property, and information, which supports the classification of people/humans as a core asset in physical security.

Therefore, the correct answer is A. Humans.

Physical security refers to measures taken to protect personnel, equipment, and property from threats such as theft, vandalism, and natural disasters. This includes the use of locks, barriers, surveillance systems, access controls, and emergency response planning. It is a foundational element of organizational security strategy.

Among the listed options, asphalt has the lowest reflectance. CCTV performance depends on lighting and surface reflectivity.

Snow (A) has very high reflectance, sometimes exceeding 80%.

Sandy soil (B) and red bricks (D) reflect more light than asphalt.

Asphalt, being dark and non-reflective, absorbs more light, making it harder for cameras to capture detail unless well illuminated.

Comprehensive Detailed Explanation:

A security system acceptance test verifies that the system has been installed according to the design and is operating properly. This includes ensuring cameras are correctly aimed, focused, and provide the intended coverage and image quality. This practical verification is critical for performance validation.

B and C may be part of training or specific functionality checks but are not core acceptance test items.

D refers to reliability testing, which is separate from initial acceptance.

Security is increasingly recognized as a critical management function in global business operations. From protecting physical assets to ensuring the safety of personnel and intellectual property, security plays a vital role in risk mitigation and continuity planning. It integrates with other business areas such as compliance, human resources, and information technology.

The contingency fee in a bid package is typically set at 10% of the total project cost. This budgetary buffer accounts for unforeseen issues, changes, or risks that might arise during project execution. It is a standard practice in both construction and security system projects.

A (5%) may be insufficient.

C (15%) and D (20%) are considered excessive unless the project has high uncertainty.

Post orders are written instructions for security personnel detailing duties, responsibilities, and conduct at a specific post. These orders must clearly express the policies and expectations of the protected organization, ensuring alignment with security protocols and business objectives.

A (Reviewing shift log) is a task, not a policy directive.

C (Verbal instructions override written) contradicts best practice.

D (Policies of local authorities) may influence actions but do not replace enterprise policies in post orders.

Privacy invasion is a legal or ethical issue, not a type of insurance policy. Common types of insurance relevant to security include:

Fidelity Bonds: Cover losses due to employee dishonesty

Surety Bonds: Provide financial assurance that obligations will be fulfilled

3-D (Dishonesty, Disappearance, and Destruction) Policies: Provide broader coverage for internal and external crimes

Privacy-related issues may be addressed under cyber liability or data breach insurance but not as a standalone policy called “Privacy Invasion.”

Vicarious liability refers to an indirect legal responsibility held by an organization for the actions or omissions of its employees or agents. This is particularly relevant in the security industry when an enterprise employs or contracts security personnel. If those personnel cause harm or violate rights while performing their duties, the employer can be held liable—even if the employer did not directly engage in the act.

Strict (A) refers to liability without fault.

Negligence (B) is direct liability due to carelessness.

Loose (D) is not a recognized legal term.

Comparative fault, also known as comparative negligence, is a legal principle where the plaintiff’s own actions are taken into account when determining liability and awarding damages. If a person contributed to their own injury—e.g., by entering a restricted area—their compensation may be reduced proportionally to their share of fault.

Control tactics (A) and Defensive control (C) relate to use-of-force procedures, not legal doctrines.

Infrared sensors can function as both passive and active types:

Passive Infrared (PIR): Detects natural heat (infrared radiation) from people or animals.

Active Infrared: Emits infrared beams and detects interruptions in the beam (e.g., photoelectric sensors).

This dual use allows infrared to serve a variety of security applications.

A (Microwave) is strictly active.

C (Vibration) and D (Pressure) are passive only.

A contingent event is one that may or may not occur and is typically dependent on other conditions or events. In risk and continuity planning, a contingent event is considered in scenarios such as equipment failure, natural disasters, or cyberattacks. Preparing for such events is central to contingency planning.

Critical processes (B) are the operations needing continuity.

Conditional delegation (C) refers to assigning authority under specific conditions.

Emergency response (D) is the action taken, not the uncertain event itself.

Communism promotes state or collective ownership of property as a political and economic ideology. Radical Islam, while it may advocate for community-oriented economic practices (e.g., zakat, or almsgiving), does not follow the same foundational principles of property ownership as communism. The idea of " sharing property " in radical Islam is not analogous to " common property " in communism.

After a risk assessment is completed, the first step for a project manager is to create a concept design. This outlines the proposed system and supports budget justification and strategic alignment with management’s objectives. Gaining senior management buy-in is essential before progressing to detailed design or procurement.

A (RFI) may follow concept approval.

C (Construction documents) are created much later.

D (Implementation planning) is dependent on approved design and funding.

The critical detection point in a Physical Protection System (PPS) occurs when the remaining distance or time an adversary must cover before reaching the target exceeds the security response time. This ensures that detection happens early enough for responders to act and intervene before the attacker reaches the asset.

B and C refer to detection and interruption probabilities, which are important metrics but not the defining threshold for the critical detection point.

D (Remaining delay time) factors into the protection layers but does not define the detection threshold.

Low-pressure sodium (LPS) lamps emit a nearly monochromatic yellow light, which severely limits color rendition. This makes them unsuitable for CCTV surveillance where accurate color reproduction is needed. They are, however, energy efficient and used in some outdoor lighting applications where color accuracy is not critical.

B (Incandescent), C (Fluorescent), and D (Metal halide) all offer better color rendition than LPS lamps, with metal halide being the best for color fidelity.

An Uninterruptible Power Supply (UPS) is the best solution to immediately mitigate the risk of power loss in a computer. It provides backup power instantly upon power failure, allowing safe shutdown or continued operation for a limited period.

A (Surge protector) protects against voltage spikes but doesn’t provide backup power.

C (Emergency generator) has a startup delay and is more suitable for large systems.

D (Batteries) are components of a UPS, not a standalone mitigation.

Case law is the result of judicial decisions and precedents established through court interpretations of existing laws, whether based on common law (historical precedents from English law) or statutory law (laws passed by legislatures). It forms part of the legal framework in many jurisdictions and evolves through court rulings.

Criminal law (A) defines offenses and penalties.

Constitution law (D) governs foundational legal principles.

Offended suit (B) is not a recognized legal term.

The owner’s formal acceptance of a security system—usually after site acceptance testing—is the point at which the warranty period typically begins. From this moment, the vendor or contractor is responsible for addressing defects or performance issues as stipulated in the contract.

B and C (Phase II references) are not standard project stages.

D (Site acceptance testing) occurs before acceptance and warranty activation.

Organizational levels of terrorism are generally classified into:

Individual Terrorism (Lone-wolf actors)

Group Terrorism (Non-state groups like al-Qaeda, ISIS)

State Terrorism (When a state uses terror tactics on its own or others ' populations)

Modern terrorism refers more to the contemporary methods, tools, and global nature of terrorism—not a level of organization. Hence, it ' s not considered an " organizational level. "

Risk transfer refers to shifting the financial burden of potential losses from an organization to a third party, typically through insurance. By paying a premium, the company secures coverage that will compensate for specific losses, thereby reducing its own financial exposure.

References from PSP: ASIS POA – Risk Management and Insurance Strategies; PSP Study Manual – Financial Risk Treatment Options

Security input is most effective when introduced during the initial design phase of a facility. This allows for integration of security considerations into architectural planning, site layout, and system infrastructure before major design decisions are finalized.

A and B are too late in the process.

D (Concept presentation) is usually too early and conceptual for detailed security input.

A methodical examination in security management serves multiple purposes:

Identifying deviations from policies and procedures

Detecting vulnerabilities or loopholes

Improving operational effectiveness while maintaining or enhancing security

This approach is used in audits, inspections, and evaluations to enhance overall security posture without compromising performance.

References from PSP: ASIS POA – Security Audits and Evaluations; PSP Guide – Program Effectiveness and Risk Review

The first step in protecting a company and its assets is to conduct a threat and vulnerability analysis because it identifies potential risks and weaknesses that could impact the organization. In Human Resource and organizational security management, understanding threats such as theft, insider risks, or external attacks, along with vulnerabilities like poor training, weak procedures, or lack of controls, is essential before implementing any protective measures. This analysis provides the foundation for developing effective security strategies, policies, and employee awareness programs. Without first identifying what needs protection and where weaknesses exist, other steps such as cost analysis or business impact analysis may be ineffective or misdirected. Therefore, option C is correct because it establishes the baseline for informed decision-making and effective asset protection planning.

A network security policy defines the scope of security measures within an organization’s network. It sets the rules for behavior, outlines acceptable use, identifies protected resources, defines responses to security breaches, and lays out disciplinary measures for violations.

Physical security (A) focuses on tangible access control.

Forensic investigations (C) deal with post-incident evidence gathering.

Spam filtering (D) is a specific technical control, not a policy framework.

In video surveillance and lighting design, reflectance refers to how much light a surface reflects back to a camera. Surfaces with low reflectance absorb more light and appear darker, making visibility more challenging. Asphalt has the lowest reflectance among the listed options because it is a dark, dense material that absorbs most of the light rather than reflecting it. In contrast, snow-covered fields have very high reflectance, and sandy soil and brick surfaces reflect moderate amounts of light. From a Human Resource and workplace safety perspective, understanding surface reflectance is important when designing secure environments, as poor visibility can affect employee safety, monitoring effectiveness, and incident response. Proper lighting must compensate for low-reflectance surfaces like asphalt to ensure clear surveillance and maintain a safe and secure workplace.

In low-light surveillance conditions, a lower F-stop allows more light to pass through the camera lens and reach the image sensor. The F-stop measures the size of the lens opening, and the lower the number, the wider the aperture. A wider aperture improves image brightness and helps the camera produce clearer footage in dim environments. In organizational safety and Human Resource related security planning, proper camera performance is important because poor visibility can affect incident review, employee protection, and overall workplace monitoring. A higher F-stop reduces the amount of light entering the camera, which is less effective in low-light areas. Glass lens quality and iris type may influence performance, but they do not directly increase light intake as much as a lower F-stop. Therefore, option C is the correct answer.

Top of Form

Insurance companies provide coverage based on actuarial calculations that allow them to remain profitable. The total amount of premiums collected across all policyholders must exceed the total claims paid. Therefore, the estimated value of all losses across a pool of insured clients is generally less than or balanced with the total premiums collected, ensuring profitability and sustainability for the insurer.

References from PSP: ASIS POA – Insurance Principles and Economics; PSP Manual – Underwriting and Risk Pooling Concepts

Self-assumption of risk means the organization accepts the financial responsibility for certain risks without transferring them to an insurer. This may involve setting aside internal reserves or using other contingency planning methods to absorb potential losses.

References from PSP: ASIS POA – Risk Financing Techniques; PSP Guide – Self-Insured Risk Models

The most widely accepted classification of leadership skills includes:

Conceptual skills: Ability to think abstractly and see the " big picture "

Human relations skills: Interpersonal and communication capabilities

Technical skills: Expertise and proficiency in specific tasks

These skill sets are collectively known as the " skill mix " and are essential for effective security leadership.

Asset value in risk management is determined by considering criticality, ease of replacement, and some measure of value. Criticality refers to how important the asset is to organizational operations, including its impact on productivity, safety, and continuity. Ease of replacement evaluates how quickly and easily the asset can be restored or substituted if lost. The measure of value includes financial worth as well as operational or strategic importance. In Human Resource and organizational contexts, this is especially relevant when assessing both physical assets and human capital, as employee roles and skills may be difficult to replace and highly critical to operations. Original cost alone does not reflect true importance, making it less useful. Therefore, option D is correct because it includes the most relevant and comprehensive factors for determining asset value.

Security system maintenance specifications should ensure that updates and upgrades are formally included under a software maintenance agreement. This provides for continuous support, ensures compatibility with evolving platforms, and addresses security vulnerabilities.

A and C refer to warranty and product life, which may not include proactive updates.

B (Service level agreement) addresses performance metrics, not software specifically.

In risk assessment and security management, predictability refers to how likely it is that a person, group, or threat source will act in a certain way based on known patterns, intentions, or circumstances. This makes predictability mainly an indicator of behavior. In Human Resource and organizational risk contexts, behavior is an important factor because employee actions, workplace conduct, and responses to policies can often be anticipated from past patterns, attitudes, or warning signs. Understanding predictability helps organizations assess the likelihood of insider threats, misconduct, noncompliance, or other security-related actions. It is not primarily a measure of crisis deterrence, event history alone, or how effective countermeasures are. Instead, it focuses on the expected conduct of individuals or threat sources. Therefore, option A is the most accurate answer because predictability is fundamentally linked to behavior.

The multifactor approach examines terrorism through multiple dimensions, including psychological, sociological, ideological, and organizational factors. It analyzes how individuals are recruited, indoctrinated, and motivated within terrorist networks. This is key in understanding the behavioral patterns and lifecycle of a terrorist.

Physical barriers are designed to defend against three main penetration techniques:

Stealth: Unauthorized entry without detection.

Deception: Gaining access through trickery or impersonation.

Force: Physical breaching of barriers or using tools or vehicles to gain entry.

Security systems are designed to detect and delay each of these methods effectively.

A and B mix categories inaccurately.

C (Vehicle) is a tool/method of force, not a category on its own.

During a security survey, plan drawings provide the layout of a facility, showing the position of walls, doors, windows, corridors, and other structural elements. These drawings serve as the primary reference for determining the placement and coverage of security devices such as cameras, access control points, sensors, and alarms.

Elevation drawings depict vertical surfaces and are used primarily for understanding façade or wall-mounted equipment placement.

Details drawings provide component-level specifications but do not give the full spatial context.

Riser diagrams illustrate electrical or network paths vertically through a building and help with cabling but not with overall device location planning.

Plan drawings give a comprehensive, horizontal layout view, which is essential for surveyors to accurately locate and document all security devices in relation to the facility’s operational spaces, consistent with ASIS PSP guidance.

An electric strike allows for remote electrical locking and unlocking while still permitting free mechanical egress from the protected (inside) side of the door. This is essential for life safety and code compliance, especially in commercial and public buildings.

A (Vertical pin) is a mechanical lock component, not an electric device.

B (Electromagnetic) locks typically require power to release and may not allow mechanical egress without integration.

D (Delayed egress) restricts exit temporarily, which may violate free egress rules depending on application.

A change key is designed to operate a single specific lock within a keyed system and is typically assigned to an individual user for limited access. In key control systems, which are important in organizational and Human Resource security management, different key types are used to control access levels. A change key provides the lowest level of access, ensuring that employees can only enter authorized areas relevant to their roles. This supports accountability, reduces security risks, and helps enforce workplace policies. Options A and C describe functions of master or grand master keys, which open multiple locks. Option D refers to control or core keys used for lock maintenance. Proper use of change keys helps organizations maintain structured access control and protect assets, personnel, and sensitive areas effectively.

Multiplex systems allow multiple alarm signals to be transmitted over a single communication line. This significantly reduces the cost of leasing multiple phone lines while enhancing efficiency and providing a high level of security by encoding and validating data streams.

A (Circuit loop) is an older method using dedicated circuits.

C (Cellular) is wireless but may not always offer secure or low-cost options.

D (Dial-up) is cost-effective but offers limited security and speed.

Electronic Article Surveillance (EAS) systems are commonly used in retail environments to prevent theft. These systems often use VHF, microwave, or other radio frequencies to detect tagged merchandise. When someone attempts to exit the store without deactivating the tag, the system sets off an alarm.

A (Point-of-sale surveillance) involves video and transaction monitoring.

C (Dual detector) refers to motion detection in security systems.

D (Magnetometer) is used for metal detection, not retail theft prevention.

Credit reports not only reflect a person ' s financial condition (debts, credit utilization, bankruptcies), but also provide useful data such as past addresses and the names of previous employers. This auxiliary information is essential during background investigations and helps validate the accuracy of job applications.

Legal and compliance considerations apply; employers must follow fair credit reporting laws and obtain consent.

Private security functions are generally client-centered—focused on protecting the assets, people, and interests of a private entity or organization. In contrast, public law enforcement is tasked with serving the community at large, maintaining public order, and enforcing laws for societal benefit.

This fundamental difference in mission and orientation underpins many of the operational and strategic differences between the two sectors.

The planning phase of a security system project results in key deliverables such as stakeholder identification, project requirements, timelines (meeting schedules), and budget forecasts (cost estimates). These form the foundation for design and implementation.

B, C, and D include inputs or analysis components, but they are not final outputs of the planning phase.

Hold harmless clauses are contractual provisions that attempt to shift liability from one party to another—typically from the hiring organization to the contractor. However, under the principle of non-delegable duty, courts often do not honor these clauses when essential legal responsibilities (like ensuring public safety) are involved. This reinforces that certain legal obligations cannot be waived or outsourced.

Options A and B are not recognized legal phrases.

Comprehensive Detailed Explanation:

A cost-effective system integration design must balance the level of risk with the controls implemented to mitigate that risk. This balance ensures that resources are used efficiently while maintaining acceptable protection levels.

A, B, and C are relevant considerations, but only D represents the fundamental balance in security system design.

Security consultants are often retained to provide strategic input on staffing needs, policy design, and technology integration. Their advice helps organizations make informed decisions regarding the deployment of personnel, the structure of policies, and the selection of physical and electronic security systems.

Controlled areas are secure zones that restrict access to authorized personnel and vehicles only. These areas may include military zones, secure corporate facilities, or sensitive operational spaces where access control is enforced through badges, guards, surveillance, or barriers.

Terminal operations (A) refers to logistical or transportation hubs.

Surveillance (B) is a monitoring method, not a restricted area itself.

Total programs (C) is not a recognized security term.

In the PSP framework, a project specification outlines the technical and operational requirements of a security system. The specification defines what the system must achieve rather than simply its cost or component tolerances.

Performance expectations describe the desired outcomes, functionality, reliability, and operational standards that the installed system must meet.

Testing specifications and equipment tolerances support validation but are derived from the performance requirements.

Cost is a budgetary consideration and does not determine functional or operational requirements.

By clearly specifying performance expectations, security planners ensure that the system is designed and implemented to meet operational needs, provide measurable results, and comply with organizational standards, consistent with ASIS PSP guidance.

Quantitative analysis involves the use of numeric data to evaluate system performance. In Intrusion Detection Systems, metrics such as Probability of Detection (PD), False Alarm Rate (FAR), and Nuisance Alarm Rate (NAR) are used to objectively measure system effectiveness.

A and C are more subjective or observational.

B (Theoretical) implies modeling, not actual data evaluation.

Holography on ID badges provides a unique, hard-to-replicate visual feature that significantly reduces the chances of badge counterfeiting. Holograms are difficult to duplicate with standard printing technologies, thus enhancing the integrity of badge-based access control systems.

Theft (A) and Intrusion (C) are indirect risks that holography helps mitigate by reducing counterfeiting.

Security (D) is a broad concept rather than a specific risk being addressed.

The Salami Technique is a type of computer or financial fraud where small amounts of money are siphoned off from many transactions or accounts. These amounts are often so minor that they go unnoticed individually but accumulate into significant sums when aggregated. It’s often associated with insider fraud and manipulation of accounting or financial systems.

Manipulation technique (A) is a general term.

Auction planning (B) and Hostile applets (D) are unrelated concepts.

Observability refers to how easily an adversary can detect or notice a weakness in a system, process, or environment. In risk management and security concepts often applied within Human Resource and organizational safety frameworks, observability is directly linked to the visibility of vulnerabilities. If a vulnerability is highly observable, it means that it can be easily recognized by an external or internal threat actor. This recognition increases the likelihood that the weakness may later be exploited. However, observability itself does not involve exploiting or causing the vulnerability, but rather identifying its presence. HR policies and workplace controls aim to reduce observability by implementing safeguards, training, and awareness programs to ensure that sensitive weaknesses are not easily detected by unauthorized individuals.

Transportation terminals—such as airport cargo areas, seaports, and train yards—have implemented access controls that limit entry to underground or restricted zones. These security measures help prevent unauthorized access and protect critical infrastructure and high-value cargo.

Maritime operations (A) refer to port activities but not specifically to underground security.

Security measures (B) is too general.

Resealing (D) is not relevant to underground access control.

Under the pure comparative negligence approach, a plaintiff can recover damages even if they were primarily responsible for their own injury. For example, if the plaintiff was 90% at fault, they could still recover 10% of the damages from the defendant. This model allows for partial recovery based on proportional fault, regardless of the level of the plaintiff’s responsibility.

50/50 rule and 51 percent rule prevent recovery when the plaintiff is found equally or more at fault.

Business resumption refers to the long-term process (typically more than 60 days) of returning the organization to full, normal operations after a disruption. It follows the earlier stages of emergency response and business recovery and focuses on rebuilding systems and restoring service levels.

Business continuity (A) is a broader concept that includes all planning efforts.

Business recovery (B) focuses on short-term, interim operations.

Business healing (D) is not a formal term in continuity planning.

Telnet is a network protocol that allows users to connect to remote computers and access their resources, typically via command-line interface, assuming they have proper credentials. While outdated for secure applications (due to lack of encryption), it was widely used for remote access to systems.

Cabinet (A) and Telecom (C) are unrelated.

“None of the above” (D) is incorrect because Telnet is the correct protocol.

The correct answer is Capacitance.

Capacitive sensors detect changes in the electromagnetic field around a metallic object. When a metal container enters this field, it alters the capacitance, triggering an alarm or alert.

Photoelectric sensors rely on light interruption or reflection and are typically used for perimeter detection.

Sonic and ultrasonic sensors measure sound waves to detect motion or proximity but are not designed to sense metallic objects via electromagnetic fields.

Capacitive sensing is widely used in security for protecting safes, metal cabinets, and secured storage containers because it provides reliable detection of tampering or unauthorized entry into a defined magnetic field, consistent with ASIS PSP guidance on electronic intrusion detection.

Bid specifications are comprehensive documents that define the project ' s scope, including equipment requirements, installation standards, and ongoing maintenance services. They are essential for ensuring that contractors and suppliers provide consistent and comparable proposals.

Needs analysis (B) identifies security requirements but does not specify equipment or service contracts.

ROI and cost-benefit analysis (A and D) evaluate financial viability but don’t document specifications.

Comprehensive Detailed Explanation:

Identity theft is the act of obtaining and using someone else ' s personal or financial information—such as social security numbers, bank details, or credit card information—without permission, often for committing fraud or other criminal activities.

Identity fraud (A) refers to the actual fraudulent acts committed after the identity is stolen.

Identity dissemination (C) and Identity distortion (D) are not standard legal or cybersecurity terms.

Impressioning is a covert method used to create a working key for a lock without disassembly. It involves inserting a blank key into the lock and turning or jiggling it to create small marks where pins contact the blank, which are then filed down to form the correct cuts.

B (Rapping) and C (Bumping) are techniques to bypass a lock, not to create a key.

D (Decoding) involves analyzing key cuts visually or electronically but not physically producing a key directly.

Comprehensive Detailed Explanation:

The three primary and sequential functions of a Physical Protection System (PPS) are:

Detection – identifying unauthorized activity.

Delay – slowing intruder progress.

Response – intervening before asset compromise.

This layered approach ensures an opportunity to detect and intercept threats before they succeed.

A and D include " deterrence " or " prevention, " which are security goals but not primary PPS functions.

C lists valid concepts but omits the critical detection phase.

The actions described represent risk reduction because the organization is implementing measures to decrease the likelihood and impact of theft rather than eliminating the activity entirely. Moving the coat department, installing surveillance systems, using anti-theft tags, and limiting access to merchandise are all strategies that reduce vulnerability and deter potential offenders. In Human Resource and organizational management, risk reduction is a common approach that balances operational needs with security controls, allowing business activities to continue while minimizing threats. Risk avoidance would involve eliminating the activity altogether, such as no longer selling coats, while risk transfer would involve shifting responsibility, such as through insurance. Risk acceptance would mean taking no action. Therefore, option B is correct because the organization is actively reducing exposure to theft through multiple preventive measures.

Comprehensive Detailed Explanation:

During the planning phase of a physical protection system, key deliverables include:

Preliminary design: Conceptual plans showing system layout and strategy.

Drawings: Visual representations that help in communicating system intent and scope.

These work products set the foundation for detailed design and implementation.

A, B, and C include elements used later in the process (procurement, budgeting).

In biometric systems:

False Acceptance Rate (FAR) represents unauthorized access.

False Rejection Rate (FRR) represents inconvenience to legitimate users.

From a security perspective, a low FAR is more critical because it ensures that unauthorized individuals are not granted access. A higher FRR can be tolerated in high-security environments, as it affects convenience rather than security.

A (low/low) is ideal but harder to achieve.

C and D (high FAR) compromise security.

Floodlights are wide-beam lighting devices used to extend horizontal illumination across large areas, particularly along perimeter barriers. Their design makes them effective in lighting long stretches of fencing or property lines to deter and detect intruders. Unlike spotlights or search lights, floodlights disperse light broadly and evenly, reducing shadows and blind spots.

" Search lights " produce narrow beams for focused scanning.

" Perimeter lighting " is a general concept, not a specific lighting unit.

" Fresnel lenses " are components used in optics and are not lighting units.

The relationship between public law enforcement and private security has historically faced strain due to several key issues:

Perceived competition (A): Concerns over overlapping roles and professional rivalry.

Borderline responsibilities (B): Unclear jurisdiction or operational boundaries can lead to friction.

Moonlighting policies (C): Concerns about law enforcement officers working off-duty in private roles may create conflicts of interest.

All of these issues contribute to the strained relationship.

This definition matches the U.S. Department of State and ASIS definitions of terrorism. It highlights the political and psychological components of terrorism, including the targeting of civilians and the intent to instill fear or send a political message.

A virus is a type of malicious software that attaches itself to legitimate files and spreads when those files are executed.

A worm is a standalone malware program that replicates itself to spread to other computers without needing to attach to a host file.

A bug refers to an error or flaw in software, but in the context of this question (malicious instructions causing effects), it can contribute to vulnerabilities exploited by malware.

Since all these can involve sets of unwanted instructions leading to harmful effects, “All of the above” is the most accurate answer.

The Pass-Exchange System enhances security by requiring that the employee exchanges one pass for another at a control point before entering a more secure or restricted area. This ensures that access is tightly monitored and controlled on a zone-by-zone basis.

If stairwells are used regularly for inter-floor travel and permitted by local code, the best practice is to maintain both life safety and security. This can be done by installing approved access control devices (e.g., card readers) and two-way communication systems (intercoms) to manage access while allowing emergency use.

A (Fail-secure locks) could pose a safety risk in emergencies.

B (Unlocked doors) may violate building security policies.

C (Selective unlocking) is inconsistent and may cause confusion during emergencies.

In the context of physical security, predictability typically refers to human behavior patterns that adversaries could exploit. For example, predictable patrol schedules or access procedures can be observed and defeated. Reducing predictability enhances security by complicating an attacker’s planning process.

A (Accuracy) and B (Effectiveness) relate to system performance.

D (Efficiency) relates to resource use, not vulnerability.

Warm sites are backup facilities that are partially equipped and can be brought online relatively quickly in the event of a disaster. They typically have necessary infrastructure (e.g., power, networking) and some hardware but are missing the primary computer systems or up-to-date data.

Hot sites (A) are fully configured and ready for immediate use.

Cold sites (C) are empty facilities with just space and basic utilities.

Frequent sites (D) is not a recognized term.

The Transmission Control Protocol (TCP) works with IP as part of the TCP/IP suite. It divides data into packets, numbers them sequentially, and adds error detection and correction codes. This ensures that data is transmitted reliably, in order, and without loss or corruption.

File Transfer Protocol (B) uses TCP but does not handle packet creation itself.

Information Control Protocol (C) is not a recognized protocol.

“None of the above” (D) is incorrect because TCP is the correct answer.

Workstations can serve as basic servers in small networks. While they are typically used for individual tasks, they can be configured to act as servers for file sharing, printing, or hosting lightweight applications without needing specialized installation or infrastructure.

Minicomputers (B) are outdated mid-range systems.

Supercomputers (C) are specialized, high-cost systems for massive computations, not typical servers.

“None of the above” (D) is incorrect because workstations can indeed be used as servers.

X.25 is a standard protocol suite developed by the Consultative Committee for International Telephone and Telegraph (CCITT), now known as ITU-T. It is one of the earliest protocols used for WAN communications, enabling reliable data transfer across public networks using packet switching.

XA.10 (B), CXA 1.23 (C), and X.20 (D) are not recognized standards for WAN protocols.

When issuing weapons to security personnel, policies must clearly define the conditions under which the equipment may be used. This ensures legal compliance, accountability, and safety. Proper use-of-force guidelines are critical in managing liability and operational control.

A (Public perception) is important but secondary.

B and C may be relevant to personnel qualification but not to issuance policies themselves.

The correct answer is A. an unauthorized master key permits access through any lock in the series.

In PSP physical security, locks and key systems are part of structural security measures and access control countermeasures. The ASIS PSP Body of Knowledge includes locks under physical security countermeasure selection and implementation.

A master-keying system allows one master key to open multiple locks within a defined lock series. This is useful for management and emergency access, but it creates a major security risk: if the master key is lost, stolen, duplicated, or otherwise obtained by an unauthorized person, that person can access every lock controlled by that master key. Physical security lock guidance describes this as the most obvious security problem with master keys.

The other options are incorrect:

B is incorrect because master keying generally reduces the number of useful combinations, not increases them.

C relates more specifically to removable-core lock risks, not the main master-keying problem.

D is incorrect because close tolerances usually make picking harder, not easier.

Therefore, the correct answer is A.

In physical security terminology, a " facility " refers to any plant, building, office, institution, or industrial/commercial complex along with all its associated functions and structures that are part of an integrated operation. This includes everything from administrative buildings to warehouses and utility structures.

This definition helps determine the scope of security assessments and protective strategies under Domain 1 of the PSP program, " Physical Security Assessment. "

“Contents” (B) refers to the items inside a facility.

“Interior” (C) refers to internal areas within a facility.

“Padlocks” (D) are physical locking devices and do not define a type of structure or location.

???? References:

ASIS International, Physical Security Principles (PSP) Study Guide – Domain 1: Physical Security Assessment

Protection of Assets (POA) Manual – Chapter: Physical Security Concepts

Establishing performance requirements improves a security program because it helps decision-makers choose security features that directly support the organization’s overall protection strategy. In management and Human Resource related planning, clear performance requirements guide the selection of tools, procedures, and personnel responsibilities based on how well they achieve desired outcomes rather than simply meeting a checklist. This approach ensures that resources are aligned with actual risks, operational goals, and employee safety needs. It also supports better training, accountability, and coordination across departments because everyone understands what level of performance is expected. Validating compliance or certification may be useful later, but those actions do not primarily increase program effectiveness during design. The greatest benefit comes from choosing features that strengthen the full strategy. Therefore, option B is the most accurate answer.

Comprehensive Detailed Explanation:

When assessing bombing risk, proximity to high-value or symbolic targets is a significant factor. Even if the facility itself isn’t a primary target, it may suffer collateral damage due to its location near another targeted building. This is a key aspect of blast risk assessments.

A and C (urban area, high occupancy) increase general risk but are not definitive on their own.

D (domestic/international tenants) may affect threat level but is less relevant than target adjacency.

Targeting refers to the process by which a threat actor selects a specific facility or asset based on attractiveness, vulnerabilities, symbolic value, or opportunity. This helps differentiate why one location may be more likely to be attacked than another.

Motivation (B) refers to the reason behind the attack.

Collusion (C) involves cooperation between insiders.

Desire (D) is a psychological element, not an operational step.

Strict liability applies when a manufacturer or service provider is held legally responsible for damages or injuries caused by a defective product or service, regardless of fault or intent. This type of liability is often associated with consumer protection laws, where the focus is on the danger posed to the user rather than negligence on the part of the provider.

Plaintiff (B) is the party bringing the suit.

Defendant (C) is the party being sued.

" None of the above " (D) is incorrect since " Strict liability " is the correct legal principle.

Proprietary security services are those in which the security personnel are hired, trained, and managed directly by the organization they protect. They are part of the company’s staff and are not outsourced from external firms. Proprietary security typically ensures tighter integration with company culture and policies and offers better control over personnel and procedures.

Contract security services (Answer D) involve third-party firms providing personnel who are not employees of the protected organization.

Security enforcement (Answer B) is a general term, not a specific classification.

Pilferage (Answer C) refers to theft and is unrelated to service type.

A crime is defined as a voluntary and intentional violation of a law by someone who is legally competent. It involves breaking a legal duty meant to protect society. This can include actions that are prohibited or omissions where action was legally required.

Corruption (A) is a specific type of crime involving abuse of power.

Law-breaking (B) is a general, non-legal term.

Fault (C) is too broad and often used in civil contexts.

Risk assessment in the PSP framework is centered on understanding the interplay between assets, exposure, and losses.

Assets are the people, property, information, and operations that must be protected.

Exposure represents the vulnerability or likelihood that an asset will be affected by threats or hazards.

Losses are the potential consequences, whether financial, operational, reputational, or physical, if a threat materializes.

By systematically analyzing these three considerations, security professionals can prioritize risks, allocate resources effectively, and design appropriate mitigation strategies. Countermeasures are developed later as responses to identified exposures and potential losses, not as a primary input to risk classification. This aligns with ASIS guidance on structured risk assessment and enterprise security risk management.

The three primary types of cost estimates used during the implementation of a physical protection system are:

Budgetary: Initial estimate for planning and approval.

Preliminary design: Estimate based on conceptual design.

Final design: Detailed cost based on approved construction documents and specifications.

This staged estimation approach helps refine costs as the design evolves.

Other options mention contingency or maintenance, which are important but not considered one of the three standard estimating stages.

A Business Impact Analysis (BIA) identifies critical functions and assesses the financial and operational impact of business disruptions. It helps prioritize recovery efforts and supports continuity planning by quantifying potential losses.

Enterprise impact analysis (A) and Managerial impact analysis (B) are not formal terms.

Critical process impact (C) is a component considered in the BIA but not the term itself.

Security consultants are often retained to provide strategic input on staffing needs, policy design, and technology integration. Their advice helps organizations make informed decisions regarding the deployment of personnel, the structure of policies, and the selection of physical and electronic security systems.

Risk treatment strategies are determined by an organization’s top management because they have the authority to align risk decisions with overall business objectives, resources, and risk tolerance. In Human Resource and organizational management, senior leadership is responsible for setting policies, approving budgets, and establishing priorities that affect the entire enterprise. Risk treatment involves decisions such as accepting, reducing, transferring, or avoiding risks, which require a strategic perspective beyond individual departments. While security managers and operational managers provide valuable input and expertise, they do not have the final authority to determine organization-wide strategies. Similarly, insurance carriers only play a role in risk transfer, not decision-making. Therefore, option A is correct because top management ensures that risk treatment aligns with organizational goals, compliance requirements, and long-term sustainability.

The pre-bid conference is held to clarify specifications, answer bidder questions, and ensure all prospective contractors understand the requirements. It supports transparency and consistency across all bids.

A is incorrect—bids are not anonymous.

C misrepresents the purpose of the meeting.

D (Disclosing project cost) may or may not occur, and it ' s not the primary goal.

In risk evaluation, vulnerability refers to the state of being open or susceptible to harm, damage, or exploitation. It identifies weaknesses in systems, processes, or human behavior that can be taken advantage of by a threat. In Human Resource and organizational risk management, vulnerabilities may include lack of training, poor supervision, weak policies, or gaps in security awareness among employees. These weaknesses increase the chances that a threat can successfully cause harm. A threat represents a potential danger, likelihood measures the probability of occurrence, and criticality reflects the importance of assets or operations. However, vulnerability specifically focuses on exposure to risk. Understanding vulnerabilities allows HR and management to implement targeted controls such as training programs, policy improvements, and monitoring systems to reduce organizational risk and enhance workplace safety.

Comprehensive Detailed Explanation:

The " Theft Triangle " is a concept used in physical security and loss prevention to illustrate the three primary elements that must exist for theft to occur: motive, desire, and opportunity.

Motive: The reason someone considers committing theft (e.g., financial hardship).

Desire: The internal emotional or psychological urge to obtain something.

Opportunity: The circumstances or vulnerabilities that allow the act to occur.

All three must typically be present for theft to happen. This model is used in behavioral risk assessments and insider threat prevention strategies.

In selecting video surveillance cameras, the primary criterion is the ability to clearly identify objects or individuals within the monitored area, which is directly determined by the horizontal resolution.

Horizontal resolution represents the number of distinct points of information captured across the width of the scene and dictates the level of detail available for identification.

Pixel count or chip output alone does not guarantee usable image quality; it must be supported by optics and scene coverage.

Sensitivity affects performance in low-light conditions but is secondary when the main goal is resolution-based identification.

Focal length adjusts the field of view but does not replace the need for sufficient horizontal resolution to meet identification objectives.

ASIS PSP guidance stresses that camera selection should align with the operational purpose, ensuring captured video meets evidentiary and situational awareness requirements while optimizing system design and cost efficiency.

In perimeter lighting, light should be directed away from the protected area (toward potential adversaries) to illuminate potential threats outside the fence or perimeter, making it easier to detect intrusions. Backlighting (placing the source behind the area being monitored) enhances visibility of trespassers without creating glare for security personnel.

A, C, and D correctly describe standard characteristics of perimeter lighting.

B incorrectly suggests the wrong direction for optimal lighting design.

Arrest refers to the legal act of taking a person into custody. One of the essential legal requirements following an arrest is that the individual must be handed over to law enforcement or judicial authorities without unreasonable delay. This is to protect the constitutional rights of the detainee and avoid unlawful detention.

Detain (B) and Detention (C) refer to temporary restraint without full arrest.

Threatening loss (D) is unrelated.

An integrated approach to managing security risk includes both investment in proactive loss prevention techniques and the financial risk transfer method of insurance. Loss prevention helps reduce the probability and impact of incidents, while insurance ensures that if a loss does occur, the financial consequences can be absorbed or mitigated. Together, they form a balanced risk treatment strategy.

References from PSP: ASIS POA – Security and Risk Mitigation Strategies; PSP Study Guide – Operational and Strategic Measures

A good risk management program incorporates multiple stages:

Identifying risks or vulnerabilities (e.g., threats to assets or processes)

Analyzing risks based on likelihood and potential impact (quantitative or qualitative assessment)

Evaluating and aligning existing or proposed security programs to determine adequacy and needed improvements

All three elements are part of a systematic approach to managing security and organizational risk effectively.

References from PSP: Risk Management Process – ASIS POA; PSP Study Manual – Security Program Development

Recruitment into jihadist or other terrorist movements typically involves identifying individuals vulnerable to radical ideology, indoctrinating them through propaganda and religious misinterpretation, and then training them for operational activities, including attacks or support roles.

Annual Loss Expectancy (ALE) is calculated as:

ALE = Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO),

which reflects the impact (SLE) and the frequency (ARO) of an event. This formula is a key component in risk assessment for determining expected financial loss.

A, B, and C are partially correct but not the accepted risk formula framework.

Comprehensive Detailed Explanation and References

Group terrorism involves an organized entity that includes a leadership hierarchy, recruitment infrastructure, training procedures, and operations planning. These groups typically have defined ideological goals and logistics networks. Examples include Hezbollah, al-Qaeda, and the FARC.