Multiple Choice
Identify the
choice that best completes the statement or answers the question.
|
|
|
1.
|
(1 point) The bank stops offering a mobile check deposit feature because it introduces
significant security risks. Which strategy is the bank using?
a. | Risk
avoidance | b. | Risk acceptance | c. | Risk mitigation | d. | Risk transfer |
|
|
|
2.
|
(1 point) The bank purchases cybersecurity insurance to cover financial losses from
potential data breaches. Which strategy is this?
a. | Risk
avoidance | b. | Risk mitigation | c. | Risk acceptance | d. | Risk transfer |
|
|
|
3.
|
(1 point) The bank installs multi-factor authentication to reduce unauthorized account
access. Which strategy does this represent?
a. | Risk
avoidance | b. | Risk mitigation | c. | Risk acceptance | d. | Risk transfer |
|
|
|
4.
|
(1 point) After implementing strong controls, the bank acknowledges that a small amount
of risk still remains. What is this remaining risk called?
a. | Accepted
vulnerability | b. | Transferred risk | c. | Eliminated risk | d. | Residual risk |
|
|
|
5.
|
(1 point) The bank determines that a low-level risk is unlikely to cause serious harm
and chooses to take no further action. Which strategy is this?
a. | Risk
transfer | b. | Risk mitigation | c. | Risk acceptance | d. | Risk avoidance |
|
|
|
6.
|
(1 point) A legacy software system poses security risks, so the bank permanently removes
it from use. Which risk strategy is being used?
a. | Risk
avoidance | b. | Risk transfer | c. | Risk acceptance | d. | Risk mitigation |
|
|
|
7.
|
(1 point) The bank outsources payment processing to a third-party vendor who assumes
responsibility for fraud losses. Which strategy is this?
a. | Risk
mitigation | b. | Risk avoidance | c. | Risk transfer | d. | Risk acceptance |
|
|
|
8.
|
(1 point) To reduce the likelihood of phishing attacks, the bank provides employee
security training. Which strategy is this?
a. | Risk
avoidance | b. | Risk transfer | c. | Risk acceptance | d. | Risk mitigation |
|
|
|
9.
|
(1 point) Even after installing firewalls and encryption, some cyber risk remains. What
should the bank determine about this remaining exposure?
a. | It has been
transferred | b. | It no longer exists | c. | It is residual risk | d. | It has been
avoided |
|
|
|
10.
|
(1 point) The bank identifies a high-likelihood vulnerability but decides to reduce its
impact through encryption. Which strategy is most accurate?
a. | Risk
mitigation | b. | Risk avoidance | c. | Risk acceptance | d. | Risk transfer |
|
|
|
11.
|
(1 point) The bank considers shutting down online banking to eliminate hacking risk but
determines it is essential to its mission. Why is avoidance not practical?
a. | Insurance is
available | b. | It reduces customer trust | c. | The risk is low impact | d. | The activity is critical to
operations |
|
|
|
12.
|
(1 point) The bank adds contract language requiring customers to assume responsibility
for weak passwords. Which strategy does this reflect?
a. | Risk
transfer | b. | Risk avoidance | c. | Risk acceptance | d. | Risk mitigation |
|
|
|
13.
|
(1 point) To lessen damage from ransomware, the bank maintains regular data backups.
Which risk strategy is this?
a. | Risk
mitigation | b. | Risk acceptance | c. | Risk avoidance | d. | Risk transfer |
|
|
|
14.
|
(1 point) After all feasible controls are applied, the bank documents that it will
tolerate the remaining minor risk. Which strategy does this represent?
a. | Risk
acceptance | b. | Risk mitigation | c. | Risk transfer | d. | Risk avoidance |
|
|
|
15.
|
(1 point) A vulnerability is expensive to fix and has low impact. The bank chooses to
monitor it without further action. Which strategy is most appropriate?
a. | Risk
avoidance | b. | Risk acceptance | c. | Risk mitigation | d. | Risk transfer |
|
|
|
16.
|
(1 point) The bank implements intrusion detection systems to reduce the likelihood of
undetected breaches. Which strategy is this?
a. | Risk
transfer | b. | Risk avoidance | c. | Risk acceptance | d. | Risk mitigation |
|
|
|
17.
|
(1 point) The bank partners with a government cybersecurity program that provides
financial assistance after major attacks. Which strategy is this?
a. | Risk
acceptance | b. | Risk mitigation | c. | Risk transfer | d. | Risk avoidance |
|
|
|
18.
|
(1 point) A risky online promotion campaign is canceled to eliminate potential data
collection vulnerabilities. Which strategy is being used?
a. | Risk
transfer | b. | Risk acceptance | c. | Risk avoidance | d. | Risk mitigation |
|
|
|
19.
|
(1 point) The bank encrypts sensitive customer data to reduce the impact if it is
stolen. Which risk strategy is this?
a. | Risk
mitigation | b. | Risk avoidance | c. | Risk transfer | d. | Risk acceptance |
|
|
|
20.
|
(1 point) The bank determines that eliminating all risk is impossible and must decide
what level is tolerable. What concept does this reflect?
a. | Risk mitigation guarantees
safety | b. | Risk acceptance acknowledges absolute security is
unattainable | c. | Risk transfer removes vulnerabilities | d. | Risk avoidance eliminates all
threats |
|
|
|
21.
|
(1 point) After identifying risk, the bank must choose among avoidance, transfer,
mitigation, or acceptance. Which step of risk management is this?
a. | Conducting
reconnaissance | b. | Selecting a management strategy | c. | Detecting lateral
movement | d. | Exploiting a vulnerability |
|
|
|
22.
|
(1 point) The bank requires vendors to carry cyber liability insurance for services
provided. Which strategy is this?
a. | Risk
mitigation | b. | Risk avoidance | c. | Risk transfer | d. | Risk acceptance |
|
|
|
23.
|
(1 point) To reduce the likelihood of insider threats, the bank implements stricter
access controls. Which strategy does this represent?
a. | Risk
transfer | b. | Risk mitigation | c. | Risk acceptance | d. | Risk avoidance |
|
|
|
24.
|
(1 point) A minor website vulnerability remains after all controls are applied, but the
bank decides it is tolerable. Which strategy applies to that remaining risk?
a. | Risk
transfer | b. | Risk acceptance | c. | Risk mitigation | d. | Risk avoidance |
|
|
|
25.
|
(1 point) A cloud feature introduces security risks, so the bank disables the feature
entirely. Which strategy is being used?
a. | Risk
transfer | b. | Risk mitigation | c. | Risk acceptance | d. | Risk avoidance |
|
|
|
26.
|
(1 point) A bank decides to stop offering an online feature because it creates too much
cyber risk. Which strategy is this?
a. | Mitigate | b. | Avoid | c. | Transfer | d. | Accept |
|
|
|
27.
|
(1 point) A company purchases cyber insurance to cover losses from a possible breach.
Which strategy is this?
a. | Mitigate | b. | Avoid | c. | Accept | d. | Transfer |
|
|
|
28.
|
(1 point) A bank installs multi-factor authentication to reduce account takeover risk.
Which strategy is this?
a. | Avoid | b. | Mitigate | c. | Transfer | d. | Accept |
|
|
|
29.
|
(1 point) After installing new firewalls, some small risk still remains. The company
decides to operate anyway. Which strategy applies to the remaining risk?
a. | Avoid | b. | Transfer | c. | Mitigate | d. | Accept |
|
|
|
30.
|
(1 point) A company discontinues storing customer credit card data to eliminate breach
risk. Which strategy is being used?
a. | Accept | b. | Mitigate | c. | Avoid | d. | Transfer |
|
|
|
31.
|
(1 point) A business outsources payment processing to a third-party provider to reduce
liability. Which strategy is this?
a. | Transfer | b. | Avoid | c. | Mitigate | d. | Accept |
|
|
|
32.
|
(1 point) An organization encrypts sensitive files to reduce potential damage from
theft. Which strategy is this?
a. | Accept | b. | Avoid | c. | Transfer | d. | Mitigate |
|
|
|
33.
|
(1 point) Leadership acknowledges a low-level phishing risk but decides the cost of
further controls is too high. Which strategy is chosen?
a. | Accept | b. | Transfer | c. | Mitigate | d. | Avoid |
|
|
|
34.
|
(1 point) A hospital cannot stop using online records because they are critical to
patient care. Which risk strategy is not possible?
a. | Transfer | b. | Accept | c. | Avoid | d. | Mitigate |
|
|
|
35.
|
(1 point) A company installs security cameras to reduce theft risk. Which strategy does
this represent?
a. | Mitigate | b. | Accept | c. | Avoid | d. | Transfer |
|
|
|
36.
|
(1 point) A bank increases service fees to customers to offset possible cyber losses.
Which strategy is this?
a. | Transfer | b. | Avoid | c. | Accept | d. | Mitigate |
|
|
|
37.
|
(1 point) After analyzing a vulnerability, a company chooses to implement additional
monitoring controls. Which strategy is most accurate?
a. | Mitigate | b. | Avoid | c. | Transfer | d. | Accept |
|
|
|
38.
|
(1 point) Even after patching systems, some chance of attack remains. What is this
remaining risk called?
a. | Transferred
risk | b. | Avoided risk | c. | Residual risk | d. | Eliminated risk |
|
|
|
39.
|
(1 point) A company shuts down a risky public Wi-Fi network to remove exposure. Which
strategy is applied?
a. | Transfer | b. | Accept | c. | Mitigate | d. | Avoid |
|
|
|
40.
|
(1 point) Installing intrusion detection systems reduces the likelihood of unnoticed
attacks. Which strategy is this?
a. | Accept | b. | Transfer | c. | Mitigate | d. | Avoid |
|
|
|
41.
|
(1 point) Leadership recognizes that perfect security is impossible and decides to
operate within an acceptable risk level. Which strategy does this reflect?
a. | Mitigate | b. | Transfer | c. | Avoid | d. | Accept |
|
|
|
42.
|
(1 point) A company signs a contract that shifts responsibility for data security to a
cloud provider. Which strategy is this?
a. | Transfer | b. | Accept | c. | Mitigate | d. | Avoid |
|
|
|
43.
|
(1 point) A company conducts regular vulnerability scans to reduce the chance of
exploitation. Which strategy does this demonstrate?
a. | Avoid | b. | Transfer | c. | Accept | d. | Mitigate |
|
|
|
44.
|
(1 point) A startup decides not to launch a risky mobile app due to security concerns.
Which strategy is chosen?
a. | Transfer | b. | Avoid | c. | Accept | d. | Mitigate |
|
|
|
45.
|
(1 point) A company installs controls but still experiences minor exposure. They
continue operating with awareness. Which strategy applies to that exposure?
a. | Transfer | b. | Avoid | c. | Mitigate | d. | Accept |
|
|
|
46.
|
(1 point) Updating software patches to reduce known vulnerabilities represents which
strategy?
a. | Accept | b. | Mitigate | c. | Avoid | d. | Transfer |
|
|
|
47.
|
(1 point) A retailer uses a third-party payment processor to reduce direct breach
responsibility. Which strategy is used?
a. | Avoid | b. | Transfer | c. | Mitigate | d. | Accept |
|
|
|
48.
|
(1 point) After evaluating risk, leadership decides to implement no additional controls
because impact is minimal. Which strategy is this?
a. | Accept | b. | Mitigate | c. | Avoid | d. | Transfer |
|
|
|
49.
|
(1 point) Adding backup systems to reduce impact of system failure represents which
strategy?
a. | Mitigate | b. | Accept | c. | Transfer | d. | Avoid |
|
|
|
50.
|
(1 point) A company eliminates remote access entirely due to repeated breaches. Which
strategy is applied?
a. | Transfer | b. | Accept | c. | Avoid | d. | Mitigate |
|