Cybersecurity & Encryption

Big Idea 4 (CSN-1.D) & Big Idea 5 (IOC-2) · ~6–10 questions on the AP exam

What This Lesson Covers

This is one of the highest-yield topics on the AP CSP MCQ. The questions are mostly vocabulary and scenario matching, not math. The wrong-answer choices are built from common misconceptions — we'll target those directly.

Symmetric vs. asymmetric (public-key) encryption
Digital certificates and HTTPS
Authentication and Multi-Factor Authentication (MFA)
Threat vocabulary: phishing, keylogger, rogue access point, virus / worm / malware
Personally Identifiable Information (PII) and aggregation

1. Encryption: Symmetric vs. AsymmetricEK CSN-1.D / IOC-2.B

Encryption is encoding data so that only authorized parties can read it. Decryption reverses the process. The AP exam tests two flavors:

Symmetric

One shared key both encrypts and decrypts.
Fast and efficient.
The problem: how do you safely share the key in the first place if your channel isn't already secure?
Analogy: a single padlock with one key — you and the recipient must each have a copy.

Asymmetric (Public-Key)

A key pair: a public key (shared openly) and a private key (kept secret by the owner).
The public key encrypts; only the matching private key can decrypt.
Solves the key-sharing problem — you can send a message securely without first exchanging a secret.
Analogy: Bob hands out open padlocks (public key); only Bob has the key (private key) to unlock them.

The single most-tested fact: In public-key encryption, you encrypt with the recipient's public key, and only the recipient's private key can decrypt. The public key cannot decrypt — that's the whole point.

Practice MCQ

Alice wants to send Bob an encrypted message using public-key encryption. Which key does Bob use to decrypt the message?

Practice MCQ

What is the primary advantage of public-key (asymmetric) encryption compared to symmetric encryption?

2. Digital Certificates & HTTPSEK CSN-1.D / IOC-2.B

Public-key encryption has one remaining problem: how do you know the public key really belongs to the website you think it does? An attacker could publish their own key and pretend to be your bank.

Digital certificates solve this. A trusted third party called a Certificate Authority (CA) issues a certificate that vouches: "This public key really does belong to bank.com." Your browser checks the certificate before encrypting anything.

HTTPS in one sentence

HTTPS is HTTP over an encrypted connection. The certificate establishes the server's identity, and the encryption protects the data in transit between your browser and the server.

Big misconception alert: HTTPS does not mean a website is trustworthy or safe. Scam sites can — and do — have valid HTTPS certificates. The padlock means "no one can eavesdrop on this connection," not "this site is honest."

Practice MCQ

A user notices a padlock icon and "https://" in their browser. Which of the following is guaranteed by HTTPS?

3. Authentication & Multi-Factor AuthenticationEK IOC-2.B

Authentication is the process of verifying that someone is who they claim to be. The AP exam tests one specific concept very heavily: Multi-Factor Authentication (MFA).

The three authentication factors

Factor	Examples
Something you KNOW	Password, PIN, security question answer
Something you HAVE	Phone receiving a code, hardware security key (YubiKey), authenticator app
Something you ARE	Fingerprint, face scan, voice, iris (biometrics)

MFA = at least two factors from different categories. Two passwords is not MFA. A password plus a CAPTCHA is not MFA. A password plus account lockout after failed attempts is not MFA. Those are all just additional security — not a second factor.

Practice MCQ

Which of the following is NOT an example of multi-factor authentication?

Practice MCQ

A student logs into a website by typing their password and then entering a 6-digit code that was sent as a text to their phone. Which two MFA factors are being used?

4. Threat VocabularyEK IOC-2.C

The AP exam tests these terms by giving you a scenario and asking you to name the threat. Memorize the distinguishing feature of each:

Threat	What it is — and what makes it different
Phishing	Social engineering via fake messages (email, text) that trick a user into giving up credentials or clicking a malicious link. The attack is on the person, not the system.
Keylogger	Software (or hardware) that secretly records every keystroke, including passwords, as the user types. Often installed via malware or a compromised device.
Rogue Access Point	An unauthorized Wi-Fi hotspot set up by an attacker, often impersonating a legitimate network (e.g., "FreeCoffeeWiFi"). When users connect, the attacker can intercept their traffic.
Virus	A type of malware that attaches to a host file or program and spreads when the host is run by the user. Requires user action to propagate.
Worm	Malware that self-replicates and spreads autonomously across networks, without needing a host file or user action.
Malware	The umbrella term for any malicious software — viruses, worms, ransomware, spyware, adware. Defenses: antivirus software and keeping systems updated to patch vulnerabilities.

Practice MCQ

An attacker sets up a Wi-Fi hotspot in an airport and names it "Airport_Free_WiFi" so travelers connect to it instead of the real airport network. The attacker then captures and reads any unencrypted data those users send. This attack is best described as:

Practice MCQ

A user receives an email that looks like it's from their bank, warning of "suspicious activity" and asking them to click a link to log in and verify their account. The link leads to a convincing fake site that captures their username and password. This is an example of:

5. Personally Identifiable Information (PII)EK IOC-2.A

PII is any information that can be used to identify, contact, or locate a specific individual — either on its own, or in combination with other information.

Generally PII (alone)	Not PII alone — but PII in combination
Social Security number, full legal name, driver's license #, passport #, biometric data, financial account #, medical records, exact home address	ZIP code, date of birth, gender, browsing history, search history, cookies, geolocation data, IP address

Aggregation is the AP exam's favorite trick. A single piece of "harmless" data may not identify you — but combine ZIP code + date of birth + gender, and research has shown that's enough to uniquely identify the majority of Americans. Cookies + browsing history + login times can do the same. The combination is what makes data sensitive.

Two more things the exam expects you to know about PII:

Once posted online, PII is hard to delete — copies, screenshots, archives, and search engines can preserve it indefinitely.
Cookies are not malware. They're small data files used for tracking and remembering session/login state. Tracking is a privacy concern, not a malware concern.

Practice MCQ

Which combination of data is most likely to uniquely identify a specific individual, even though no single item is by itself a strong identifier?

Misconception Lightning Round

These are the false statements the AP exam builds its wrong-answer choices from. Click True or False:

"Multi-factor authentication just means using two strong passwords."

"If a website uses HTTPS, the website itself is safe and trustworthy."

"In public-key encryption, the public key can both encrypt and decrypt messages."

"A long, complex password is enough to defeat phishing attacks."

"Cookies are a type of malware."

"A virus, a worm, and malware are three names for the same thing."

What's NOT on the AP CSP Exam

Don't waste study time on these — they sound security-related, but the AP CSP exam doesn't test them:

The math behind encryption (modular arithmetic, XOR, prime factoring) Out of scope
Specific algorithm names (AES, DES, RSA, ECC, SHA) Out of scope
Hashing and hash functions Out of scope
The TLS handshake, cipher suites, TLS versions Out of scope
OWASP Top 10, SQL injection, XSS, buffer overflows Out of scope
DoS / DDoS attack mechanics Out of scope
Firewalls, IDS/IPS, VPN internals Out of scope
Specific named historical attacks (WannaCry, Stuxnet, etc.) as testable items Out of scope

Translation: If a question seems to be asking you for the name of a cryptographic algorithm or the steps of a TLS handshake, you've misread the question. The AP CSP exam stays at the conceptual level.

More Info — Trusted Sources to Verify or Go Deeper

Everything on this page is drawn from these sources. They are the references the College Board, your teachers, and federal cybersecurity agencies treat as authoritative.

College Board AP Central — AP CSP Course Page — The official source. Look for the Course and Exam Description (CED).
AP CSP Course and Exam Description (PDF) — Official curriculum framework. CSN-1.D covers encryption; IOC-2.A/B/C cover PII, authentication, and threats.
Khan Academy — AP CSP: Online Data Security — Free video lessons and practice questions on encryption, authentication, and privacy.
Mobile CSP Textbook — Cybersecurity — Open-source AP CSP textbook chapter on cybersecurity, written for AP CSP teachers and students.
CISA — Secure Our World — The U.S. Cybersecurity & Infrastructure Security Agency's plain-language guide to phishing, MFA, and password safety.
NIST — Cybersecurity Basics — From the U.S. National Institute of Standards and Technology, the agency that defines cybersecurity standards.
FTC — Protecting Personal Information — The Federal Trade Commission's guide to PII and what counts as personal information.

Back to Review Hub