SECURITY CONTRACTOR EXAM
Security Contractor Exam
Instructions: This exam consists of 150 questions. Select the best answer for each
question. Read each rationale carefully to understand the reasoning behind the correct
answer.
Section 1: Core Security Principles & Ethics (Questions 1-20)
1. What is the primary purpose of a security survey?
a) To identify potential security weaknesses and threats.
b) To determine the budget for the next fiscal year.
c) To evaluate employee performance.
d) To advertise the security company's services.
Answer: a
Rationale: A security survey is a systematic on-site examination to identify vulnerabilities,
assess risks, and recommend improvements. It is the foundation of a security plan.
2. The concept of "deterrence" in security aims to:
a) Physically stop an aggressor.
b) Make a potential threat believe that the cost of an attack outweighs the benefit.
c) Delay an adversary long enough for response forces to arrive.
d) Detect a breach after it has occurred.
Answer: b
Rationale: Deterrence is about influencing the decision-making of a potential attacker.
Visible security measures (guards, cameras, signage) create a perception of risk,
discouraging the attempt.
3. A security contractor finds a wallet containing a large sum of cash in a client's
parking lot. The most ethical course of action is to:
a) Turn it over to the client's security management immediately.
b) Keep it, as it was found in a public area.
,c) Give it to the first supervisor encountered.
d) Wait to see if anyone comes looking for it.
Answer: a
Rationale: The highest ethical duty is to the client and to the law. Turning found property
over to a designated supervisor or security management ensures a documented chain of
custody and allows for proper handling to return it to its owner.
4. Which of the following is a key element of the "Security Triangle"?
a) Deter, Detect, Delay
b) Observe, Orient, Decide, Act (OODA Loop)
c) Plan, Organize, Staff, Direct, Control
d) Assessment, Planning, Implementation, Evaluation
Answer: a
Rationale: The Security Triangle (or the three Ds) is a foundational concept: Deter (prevent
the attempt), Detect (identify the breach in progress), and Delay (slow the adversary to
allow for response).
5. Confidentiality, Integrity, and Availability (CIA) is a model primarily associated
with:
a) Physical security only
b) Information security
c) Executive protection
d) Supply chain logistics
Answer: b
Rationale: The CIA triad is the core principle of information security (InfoSec).
Confidentiality ensures data is accessible only to authorized users; Integrity ensures data is
accurate and unaltered; Availability ensures data is accessible when needed.
6. A security contractor is asked by a client employee to share the access code to a
restricted area because the employee "forgot their badge." The contractor should:
a) Provide the code, as the employee works there.
b) Refuse and report the request to a supervisor.
c) Write the code down for the employee.
d) Escort the employee but not give the code.
Answer: b
Rationale: This is a classic social engineering test or a security violation. Access codes and
credentials must never be shared. The contractor's duty is to enforce policy and report the
incident to their chain of command to protect the client's security.
7. What does "due diligence" mean in a security context?
a) The legal duty to act in a timely manner.
,b) The level of investigation and care a reasonable person is expected to take to avoid
harm.
c) The process of firing a non-performing employee.
d) The financial audit of a security department.
Answer: b
Rationale: Due diligence is the proactive effort to prevent harm. For a security contractor,
it means conducting proper threat assessments, following procedures, and taking
reasonable steps to prevent foreseeable incidents, thereby mitigating liability.
8. The primary goal of Operational Security (OPSEC) is to:
a) Ensure all operations are conducted in secret.
b) Protect critical information from being exploited by an adversary.
c) Provide armed protection for operational personnel.
d) Secure the physical perimeter of an operational base.
Answer: b
Rationale: OPSEC is a process that identifies critical information and analyzes friendly
actions to determine if those actions can be observed by an adversary and exploited. It's
about protecting the information, not just the physical asset.
9. A security contractor's authority is derived from:
a) The right to bear arms.
b) Client policy, state/local laws, and employer directives.
c) Common law only.
d) Their own moral judgment.
Answer: b
Rationale: A private security contractor's authority is limited and defined. It comes from
the contractual agreement with the client (client policy), the laws of the jurisdiction they
work in, and the policies of their employing security company.
10. Which of the following is an example of "risk transference"?
a) Installing security cameras.
b) Hiring a security guard.
c) Purchasing liability insurance.
d) Removing a hazardous tree.
Answer: c
Rationale: Risk transference is shifting the financial burden of a potential loss to another
party. While hiring a guard transfers some risk, insurance is the classic example of
financial risk transference. The other options are risk mitigation or reduction.
11. The "OODA Loop" (Observe, Orient, Decide, Act) is a concept used to:
a) Conduct a security survey.
, b) Manage a large team of guards.
c) Make faster and more effective decisions in a dynamic situation.
d) Calculate security return on investment (ROI).
Answer: c
Rationale: Developed by military strategist John Boyd, the OODA Loop emphasizes the
importance of speed in the decision-making cycle. The individual or organization that can
cycle through these steps faster can disrupt their adversary's decision-making.
12. A key difference between a security contractor and a law enforcement officer
is that a security contractor generally:
a) Has no authority to make an arrest.
b) Enforces private policies and contracts, not public law.
c) Works only for the federal government.
d) Is not allowed to carry any defensive equipment.
Answer: b
Rationale: While security contractors may have citizen's arrest powers depending on
jurisdiction, their primary role is to enforce the client's rules, regulations, and policies. Law
enforcement officers enforce public criminal laws on behalf of the state.
13. What is "situational awareness"?
a) The ability to recall policies and procedures.
b) The perception and comprehension of elements in an environment, and projection of
their future status.
c) Knowing the exact location of all security cameras.
d) Being able to use a firearm accurately.
Answer: b
Rationale: Situational awareness is more than just observation. It involves perceiving what
is happening (Level 1), understanding what it means (Level 2), and predicting what will
happen next (Level 3). It is critical for proactive security.
14. When managing sensitive information, the principle of "least privilege" means:
a) Everyone should have access to all information for transparency.
b) Individuals should only have access to the information necessary to perform their job
functions.
c) Only senior management should have any access.
d) Access should be granted based on seniority.
Answer: b
Rationale: Least privilege is a fundamental security principle that minimizes risk. By
limiting access to only what is required for a specific role, an organization reduces the
potential attack surface and the impact of a credential compromise.
Security Contractor Exam
Instructions: This exam consists of 150 questions. Select the best answer for each
question. Read each rationale carefully to understand the reasoning behind the correct
answer.
Section 1: Core Security Principles & Ethics (Questions 1-20)
1. What is the primary purpose of a security survey?
a) To identify potential security weaknesses and threats.
b) To determine the budget for the next fiscal year.
c) To evaluate employee performance.
d) To advertise the security company's services.
Answer: a
Rationale: A security survey is a systematic on-site examination to identify vulnerabilities,
assess risks, and recommend improvements. It is the foundation of a security plan.
2. The concept of "deterrence" in security aims to:
a) Physically stop an aggressor.
b) Make a potential threat believe that the cost of an attack outweighs the benefit.
c) Delay an adversary long enough for response forces to arrive.
d) Detect a breach after it has occurred.
Answer: b
Rationale: Deterrence is about influencing the decision-making of a potential attacker.
Visible security measures (guards, cameras, signage) create a perception of risk,
discouraging the attempt.
3. A security contractor finds a wallet containing a large sum of cash in a client's
parking lot. The most ethical course of action is to:
a) Turn it over to the client's security management immediately.
b) Keep it, as it was found in a public area.
,c) Give it to the first supervisor encountered.
d) Wait to see if anyone comes looking for it.
Answer: a
Rationale: The highest ethical duty is to the client and to the law. Turning found property
over to a designated supervisor or security management ensures a documented chain of
custody and allows for proper handling to return it to its owner.
4. Which of the following is a key element of the "Security Triangle"?
a) Deter, Detect, Delay
b) Observe, Orient, Decide, Act (OODA Loop)
c) Plan, Organize, Staff, Direct, Control
d) Assessment, Planning, Implementation, Evaluation
Answer: a
Rationale: The Security Triangle (or the three Ds) is a foundational concept: Deter (prevent
the attempt), Detect (identify the breach in progress), and Delay (slow the adversary to
allow for response).
5. Confidentiality, Integrity, and Availability (CIA) is a model primarily associated
with:
a) Physical security only
b) Information security
c) Executive protection
d) Supply chain logistics
Answer: b
Rationale: The CIA triad is the core principle of information security (InfoSec).
Confidentiality ensures data is accessible only to authorized users; Integrity ensures data is
accurate and unaltered; Availability ensures data is accessible when needed.
6. A security contractor is asked by a client employee to share the access code to a
restricted area because the employee "forgot their badge." The contractor should:
a) Provide the code, as the employee works there.
b) Refuse and report the request to a supervisor.
c) Write the code down for the employee.
d) Escort the employee but not give the code.
Answer: b
Rationale: This is a classic social engineering test or a security violation. Access codes and
credentials must never be shared. The contractor's duty is to enforce policy and report the
incident to their chain of command to protect the client's security.
7. What does "due diligence" mean in a security context?
a) The legal duty to act in a timely manner.
,b) The level of investigation and care a reasonable person is expected to take to avoid
harm.
c) The process of firing a non-performing employee.
d) The financial audit of a security department.
Answer: b
Rationale: Due diligence is the proactive effort to prevent harm. For a security contractor,
it means conducting proper threat assessments, following procedures, and taking
reasonable steps to prevent foreseeable incidents, thereby mitigating liability.
8. The primary goal of Operational Security (OPSEC) is to:
a) Ensure all operations are conducted in secret.
b) Protect critical information from being exploited by an adversary.
c) Provide armed protection for operational personnel.
d) Secure the physical perimeter of an operational base.
Answer: b
Rationale: OPSEC is a process that identifies critical information and analyzes friendly
actions to determine if those actions can be observed by an adversary and exploited. It's
about protecting the information, not just the physical asset.
9. A security contractor's authority is derived from:
a) The right to bear arms.
b) Client policy, state/local laws, and employer directives.
c) Common law only.
d) Their own moral judgment.
Answer: b
Rationale: A private security contractor's authority is limited and defined. It comes from
the contractual agreement with the client (client policy), the laws of the jurisdiction they
work in, and the policies of their employing security company.
10. Which of the following is an example of "risk transference"?
a) Installing security cameras.
b) Hiring a security guard.
c) Purchasing liability insurance.
d) Removing a hazardous tree.
Answer: c
Rationale: Risk transference is shifting the financial burden of a potential loss to another
party. While hiring a guard transfers some risk, insurance is the classic example of
financial risk transference. The other options are risk mitigation or reduction.
11. The "OODA Loop" (Observe, Orient, Decide, Act) is a concept used to:
a) Conduct a security survey.
, b) Manage a large team of guards.
c) Make faster and more effective decisions in a dynamic situation.
d) Calculate security return on investment (ROI).
Answer: c
Rationale: Developed by military strategist John Boyd, the OODA Loop emphasizes the
importance of speed in the decision-making cycle. The individual or organization that can
cycle through these steps faster can disrupt their adversary's decision-making.
12. A key difference between a security contractor and a law enforcement officer
is that a security contractor generally:
a) Has no authority to make an arrest.
b) Enforces private policies and contracts, not public law.
c) Works only for the federal government.
d) Is not allowed to carry any defensive equipment.
Answer: b
Rationale: While security contractors may have citizen's arrest powers depending on
jurisdiction, their primary role is to enforce the client's rules, regulations, and policies. Law
enforcement officers enforce public criminal laws on behalf of the state.
13. What is "situational awareness"?
a) The ability to recall policies and procedures.
b) The perception and comprehension of elements in an environment, and projection of
their future status.
c) Knowing the exact location of all security cameras.
d) Being able to use a firearm accurately.
Answer: b
Rationale: Situational awareness is more than just observation. It involves perceiving what
is happening (Level 1), understanding what it means (Level 2), and predicting what will
happen next (Level 3). It is critical for proactive security.
14. When managing sensitive information, the principle of "least privilege" means:
a) Everyone should have access to all information for transparency.
b) Individuals should only have access to the information necessary to perform their job
functions.
c) Only senior management should have any access.
d) Access should be granted based on seniority.
Answer: b
Rationale: Least privilege is a fundamental security principle that minimizes risk. By
limiting access to only what is required for a specific role, an organization reduces the
potential attack surface and the impact of a credential compromise.
