Multiple Choice
Identify the
choice that best completes the statement or answers the question.
|
|
|
1.
|
(1 point) The bank encrypts customer financial data
to comply with federal privacy laws. Why was encryption selected?
a. | To eliminate all cyber risk | b. | To meet legal requirements for protecting
sensitive data | c. | To reduce hardware costs | d. | To avoid employee
training |
|
|
|
2.
|
(1 point) The bank chooses a cloud-based security
tool that is affordable and easy to maintain. Why was this solution selected?
a. | It guarantees zero downtime | b. | It replaces layered defense | c. | It is cost effective
and manageable | d. | It eliminates all vulnerabilities |
|
|
|
3.
|
(1 point) A proposed security tool costs $1 million,
but the potential loss from the risk is only $50,000. Why might the bank reject this control?
a. | The cost exceeds the expected loss | b. | The tool prevents all
threats | c. | The control is legally required | d. | The risk has no
impact |
|
|
|
4.
|
(1 point) The bank implements multi-factor
authentication because credential theft is both common and damaging. Why was this control
prioritized?
a. | It eliminates phishing entirely | b. | It reduces staffing costs | c. | It replaces
backups | d. | It addresses a high-probability, high-impact risk |
|
|
|
5.
|
(1 point) Analysts determine that attackers exploit
weak passwords, so they implement password complexity rules. Why was this control selected?
a. | It eliminates availability issues | b. | It transfers liability | c. | It prevents the
specific exploitation of weak credentials | d. | It reduces hardware
costs |
|
|
|
6.
|
(1 point) The bank logs user transactions to meet
regulatory auditing standards. Why is logging selected?
a. | To reduce encryption costs | b. | To eliminate insider
threats | c. | To avoid backups | d. | To comply with legal and regulatory
requirements |
|
|
|
7.
|
(1 point) Before installing a new firewall, the bank
compares the cost of the firewall to the expected financial loss from a breach. What principle is
being applied?
a. | Threat elimination | b. | Cost-benefit analysis | c. | Risk
avoidance | d. | Risk transfer |
|
|
|
8.
|
(1 point) A vulnerability is unlikely but would
cause severe damage if exploited. Why might the bank still implement a control?
a. | The vulnerability cannot be exploited | b. | The control eliminates all
risk | c. | The potential impact justifies the investment | d. | The cost is
irrelevant |
|
|
|
9.
|
(1 point) The bank selects a security tool that
integrates easily with existing systems. Why is this important?
a. | It eliminates adversaries | b. | It guarantees availability | c. | It conserves
resources and employee capacity | d. | It removes legal
responsibility |
|
|
|
10.
|
(1 point) After identifying that attackers exploit
open ports, the bank closes unused ports. Why was this control chosen?
a. | It eliminates all threats | b. | It directly prevents the identified attack
method | c. | It reduces legal costs | d. | It increases
availability |
|
|
|
11.
|
(1 point) The expected loss from ransomware is
estimated at $500,000. The cost of implementing backups is $50,000. Why is the control
justified?
a. | The control cost is lower than expected loss | b. | The control
eliminates threats | c. | The risk is low impact | d. | The bank must
transfer risk |
|
|
|
12.
|
(1 point) The bank implements intrusion detection
because phishing attempts are frequent. Why is this decision reasonable?
a. | It addresses a common and impactful threat | b. | It removes need for
training | c. | It eliminates insider risk | d. | It lowers hardware
expenses |
|
|
|
13.
|
(1 point) The bank protects medical loan records due
to strict privacy laws. Why was additional encryption selected?
a. | To increase availability | b. | To comply with legal data protection
requirements | c. | To avoid insurance costs | d. | To eliminate risk
acceptance |
|
|
|
14.
|
(1 point) The security team chooses a control that
employees can easily maintain. Why does ease of maintenance matter?
a. | It prevents all attacks | b. | It eliminates
vulnerabilities | c. | It transfers risk | d. | It ensures long-term effectiveness and
efficiency |
|
|
|
15.
|
(1 point) The bank installs endpoint detection
software after identifying malware infections. Why was this control selected?
a. | It detects and prevents the identified threat | b. | It replaces
encryption | c. | It removes insider risk | d. | It eliminates cost
concerns |
|
|
|
16.
|
(1 point) A control costs more than the projected
damage from the vulnerability. Why might the bank avoid implementing it?
a. | The control is required by law | b. | The cost outweighs the
benefit | c. | The risk is high probability | d. | The threat is
guaranteed |
|
|
|
17.
|
(1 point) The bank prioritizes fixing a
vulnerability that is frequently exploited by attackers. Why?
a. | It addresses a high-probability risk | b. | It lowers impact | c. | It reduces
compliance costs | d. | It eliminates monitoring needs |
|
|
|
18.
|
(1 point) The bank adds web filtering after
identifying malicious website traffic. Why is this control appropriate?
a. | It eliminates encryption needs | b. | It reduces hardware costs | c. | It transfers
risk | d. | It blocks the identified attack path |
|
|
|
19.
|
(1 point) A financial regulation requires
transaction monitoring. Why does the bank implement monitoring software?
a. | To prevent hardware failure | b. | To eliminate risk
acceptance | c. | To reduce costs | d. | To meet compliance
requirements |
|
|
|
20.
|
(1 point) The bank selects automated patch
management to save staff time. Why was automation chosen?
a. | It removes availability concerns | b. | It prevents all breaches | c. | It conserves
employee capacity | d. | It eliminates
adversaries |
|
|
|
21.
|
(1 point) Why should an organization analyze
expected loss before choosing a control?
a. | To ensure the control cost is justified | b. | To transfer
risk | c. | To eliminate threats | d. | To reduce
integrity |
|
|
|
22.
|
(1 point) A vulnerability is both easy to exploit
and causes major financial loss. Why should it be addressed first?
a. | It eliminates residual risk | b. | It transfers liability | c. | It reduces cost
concerns | d. | It represents high likelihood and high impact |
|
|
|
23.
|
(1 point) The bank installs multi-factor
authentication after attackers exploit stolen passwords. Why is this control selected?
a. | It prevents the identified attack method | b. | It eliminates
backups | c. | It removes compliance needs | d. | It lowers hardware
costs |
|
|
|
24.
|
(1 point) The bank chooses a control that is
affordable and scalable as the company grows. Why is scalability important?
a. | It prevents all insider threats | b. | It guarantees availability | c. | It maintains
protection without excessive cost | d. | It eliminates
vulnerabilities |
|
|
|
25.
|
(1 point) A security control is implemented only
after calculating projected financial loss from an attack. Why is this approach effective?
a. | It eliminates adversaries | b. | It guarantees prevention | c. | It ensures
responsible allocation of resources | d. | It removes need for
monitoring |
|
|
|
26.
|
(1 point) A hospital encrypts patient records to
meet health privacy laws. Why was encryption selected?
a. | To comply with legal requirements | b. | To simplify login
procedures | c. | To eliminate all risk | d. | To reduce hardware
costs |
|
|
|
27.
|
(1 point) A small business chooses a cloud-based
firewall because it is affordable and easy to manage. Why was this control selected?
a. | It is cost effective and simple to maintain | b. | It avoids compliance
requirements | c. | It replaces backups | d. | It eliminates all
threats |
|
|
|
28.
|
(1 point) A company considers installing a $500,000
control to prevent a $50,000 risk. Why might it reject this control?
a. | The impact increases | b. | The vulnerability
disappears | c. | The risk is eliminated | d. | The cost exceeds the expected
loss |
|
|
|
29.
|
(1 point) An organization prioritizes multi-factor
authentication because account takeover is common and damaging. Why was this control selected?
a. | It addresses a high-probability, high-impact risk | b. | It reduces training
time | c. | It eliminates all vulnerabilities | d. | It lowers utility
costs |
|
|
|
30.
|
(1 point) A company installs input validation after
learning attackers exploit form fields. Why was this control chosen?
a. | It transfers the risk | b. | It avoids compliance | c. | It prevents a known
exploitation method | d. | It reduces employee
workload |
|
|
|
31.
|
(1 point) Why should organizations perform a
cost-benefit analysis before implementing a control?
a. | To eliminate residual risk | b. | To prevent insider threats | c. | To ensure the
control’s cost does not exceed expected loss | d. | To remove monitoring
needs |
|
|
|
32.
|
(1 point) A bank implements strict access logging
because regulations require tracking transactions. Why was this control selected?
a. | To meet compliance obligations | b. | To eliminate phishing | c. | To avoid
redundancy | d. | To reduce system speed |
|
|
|
33.
|
(1 point) Why might an organization prefer automated
patch management?
a. | It transfers risk | b. | It is efficient and reduces employee
workload | c. | It eliminates all vulnerabilities | d. | It prevents insider
threats |
|
|
|
34.
|
(1 point) A company installs advanced DDoS
protection because online services generate most revenue. Why is this control prioritized?
a. | The vulnerability is removed | b. | The threat is unlikely | c. | The impact of
downtime is high | d. | The cost is minimal |
|
|
|
35.
|
(1 point) When selecting a firewall, what must
defenders consider first?
a. | How adversaries exploit network vulnerabilities | b. | How many employees
use email | c. | Whether the control eliminates risk | d. | Whether the control reduces
compliance |
|
|
|
36.
|
(1 point) Why might a company avoid an overly
complex security tool?
a. | It removes residual risk | b. | It increases compliance | c. | It may require more
resources to maintain | d. | It eliminates too much
risk |
|
|
|
37.
|
(1 point) A risk is estimated at $200,000 in damage.
A control costs $20,000. Why would leadership approve it?
a. | The risk is low probability | b. | The expected loss is greater than the
cost | c. | The control eliminates vulnerability | d. | The control avoids
regulation |
|
|
|
38.
|
(1 point) Why should organizations focus on
high-impact risks first?
a. | They eliminate compliance needs | b. | They reduce employee
workload | c. | They cause the most damage if exploited | d. | They are easiest to
exploit |
|
|
|
39.
|
(1 point) A company handling credit cards installs
encryption to meet industry standards. Why is this necessary?
a. | Compliance with legal and industry rules | b. | Elimination of
risk | c. | Avoidance of patching | d. | Reduction of employee
access |
|
|
|
40.
|
(1 point) Why must defenders understand attack
methods before selecting controls?
a. | To reduce financial impact only | b. | To choose controls that prevent or detect
specific exploits | c. | To remove redundancy | d. | To eliminate
monitoring |
|
|
|
41.
|
(1 point) Why would a company reject a control that
costs more than projected breach damage?
a. | The risk is eliminated | b. | The control increases
availability | c. | The vulnerability disappears | d. | The cost-benefit balance is
unfavorable |
|
|
|
42.
|
(1 point) Why might an organization choose a simpler
security tool over a complex one?
a. | It eliminates compliance risk | b. | It removes backups | c. | It conserves
financial and human resources | d. | It prevents all
attacks |
|
|
|
43.
|
(1 point) If phishing is frequent and damaging, why
implement employee training?
a. | It avoids monitoring | b. | It addresses a common, high-impact
risk | c. | It transfers liability | d. | It eliminates
encryption |
|
|
|
44.
|
(1 point) Installing intrusion detection systems
helps because they:
a. | Eliminate adversaries | b. | Avoid cost analysis | c. | Remove legal
requirements | d. | Detect adversary activity tied to known
vulnerabilities |
|
|
|
45.
|
(1 point) Why compare control cost with projected
financial loss?
a. | To reduce compliance obligations | b. | To eliminate risk
completely | c. | To prevent all insider threats | d. | To ensure resources are used
effectively |
|
|
|
46.
|
(1 point) Why are audit logs required in regulated
industries?
a. | Legal compliance demands accountability | b. | They reduce
impact | c. | They eliminate phishing | d. | They remove
redundancy |
|
|
|
47.
|
(1 point) A startup chooses open-source security
tools due to limited budget. Why?
a. | They eliminate vulnerabilities | b. | They transfer risk | c. | They are cost
effective | d. | They remove monitoring needs |
|
|
|
48.
|
(1 point) Why prioritize patching critical
vulnerabilities over minor ones?
a. | Critical vulnerabilities are high impact | b. | Minor
vulnerabilities cost more | c. | Minor ones prevent downtime | d. | Critical ones
eliminate compliance |
|
|
|
49.
|
(1 point) When selecting encryption, defenders
consider how attackers steal data. Why?
a. | To eliminate monitoring | b. | To choose a control that directly mitigates the
threat | c. | To reduce cost only | d. | To avoid
backups |
|
|
|
50.
|
(1 point) Why might leadership delay implementing a
costly control for a rare threat?
a. | The likelihood and expected loss are low | b. | The vulnerability is
eliminated | c. | The control avoids regulation | d. | The cost is
minimal |
|