Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSSCPDomainsRisk Identification, Monitoring and Analysis
SSCPFree — No Signup

Risk Identification, Monitoring and Analysis

Practice SSCP Risk Identification, Monitoring and Analysis questions with full explanations on every answer.

78questions

Start practicing

Risk Identification, Monitoring and Analysis — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SSCP Domains

Risk Identification, Monitoring and AnalysisNetwork and Communications SecuritySystems and Application SecuritySecurity Operations and AdministrationIncident Response and RecoveryAccess ControlsCryptography

Practice Risk Identification, Monitoring and Analysis questions

10Q20Q30Q50Q

All SSCP Risk Identification, Monitoring and Analysis questions (78)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst notices repeated failed login attempts from a single IP address on the VPN gateway. The analyst adjusts the threshold for account lockout and enables geo-ip blocking. This activity is part of which risk management process?

2

During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?

3

A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?

4

An organization wants to identify risks related to a new cloud-based customer relationship management (CRM) system. Which approach would best identify threats and vulnerabilities specific to this system?

5

After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?

6

A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

7

A security team discovers that an employee's credentials were used to access the HR database from an unrecognized IP address in a foreign country. The employee is currently in the office. Which risk identification technique is most directly responsible for detecting this anomaly?

8

During a risk assessment, the team identifies that a critical database server is not included in the backup schedule. Which risk term best describes this condition?

9

Which TWO of the following are primary purposes of a risk register?

10

Which THREE of the following are common techniques for identifying risks?

11

Which TWO of the following are examples of key risk indicators (KRIs)?

12

Refer to the exhibit. A security analyst reviews these logs from a server. What immediate risk is most indicated by this log pattern?

13

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. Which risk is most directly introduced by this policy?

14

You are the security analyst for a mid-sized e-commerce company that processes credit card payments. The company uses a legacy payment application on a Windows Server 2012 R2 system, which is scheduled for decommission in six months. The server is isolated in a separate VLAN with strict firewall rules allowing only outbound HTTPS to the payment processor and inbound management from a jump box on a different subnet. During a routine vulnerability scan, you discover that the server is missing over 50 critical patches, including one for a remote code execution vulnerability (CVE-2023-XXXX) that is being actively exploited in the wild. The server cannot be patched because the vendor stopped support and patches are not available. The company's risk appetite is low due to PCI DSS requirements. You need to recommend a course of action that balances risk reduction with business continuity. What should you do?

15

You are a risk analyst at a healthcare organization. The organization recently deployed a new electronic health records (EHR) system. During the first month of operation, the IT helpdesk received multiple reports from doctors that the system becomes unresponsive for 10-15 seconds several times a day. The EHR vendor attributes this to insufficient database connection pooling, but the organization's system administrator notes that the database server's CPU and memory utilization never exceed 30%. The organization has a risk management policy that requires any system with availability <99.5% to be treated as a high risk. Based on initial data, the system has been unavailable for about 0.1% of the time (excluding planned maintenance). However, doctors report that the brief unresponsiveness is causing frustration and potential misdiagnosis due to interrupted workflows. You need to recommend a risk treatment approach. What should you do?

16

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

17

Drag and drop the steps for properly disposing of a hard drive containing sensitive data into the correct order.

18

Match each security control type to its example.

19

Match each security policy type to its purpose.

20

A security analyst notices a sudden increase in failed login attempts from a single IP address across multiple user accounts. Which risk response strategy is most appropriate to implement immediately?

21

During a quantitative risk analysis, the asset value is $500,000, the exposure factor is 40%, and the annual rate of occurrence is 0.5. What is the annualized loss expectancy (ALE)?

22

A company is implementing a risk monitoring program. Which of the following is the best key performance indicator (KPI) to measure the effectiveness of the vulnerability management process?

23

A system administrator receives an alert from the SIEM indicating a possible brute-force attack on a server. The logs show 100 failed logins in 2 minutes from a single source. Which of the following is the best immediate action to verify and respond?

24

In the context of risk assessment, which of the following best describes a vulnerability?

25

A security team is conducting a qualitative risk assessment for a new cloud application. They want to prioritize risks based on likelihood and impact. Which method should they use to combine these factors?

26

An organization has implemented a SIEM solution and wants to reduce false positives. Which of the following is the most effective approach?

27

Which of the following is the primary purpose of a risk register?

28

A company's risk management policy states that all risks with a residual risk score of 8 or higher (on a scale of 1-10) must be treated. A risk is identified with an inherent risk score of 9, and after applying controls, the residual risk score is 7. What is the appropriate action?

29

Which TWO of the following are key components of a Security Information and Event Management (SIEM) system? (Select two.)

30

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select three.)

31

Which THREE of the following are common methods for identifying risks? (Select three.)

32

Given the exhibit, what is the most likely conclusion?

33

Based on the exhibit, what is the most appropriate immediate action?

34

A security analyst reviews the exhibit. The internal IP 10.0.0.1 is a web server, and 203.0.113.5 is an external IP. What is the most likely issue?

35

A security analyst notices repeated failed login attempts from a single IP address within a short time window. Which control should be implemented to automatically mitigate this behavior?

36

A company has deployed an intrusion detection system (IDS) that generates numerous false positives. Which approach would best reduce false positives while maintaining detection capability?

37

During a risk assessment, a team identifies that the annualized loss expectancy (ALE) for a critical asset is $50,000. A proposed control costs $15,000 per year and will reduce the annualized rate of occurrence (ARO) from 5 to 1. The single loss expectancy (SLE) is unchanged at $10,000. What is the net benefit of implementing the control?

38

A security analyst is reviewing vulnerability scan results and finds a critical vulnerability on a web server. The patch is available but requires a reboot. What should the analyst do first?

39

A company's log management solution is overwhelmed by high-volume logs from network devices, causing storage and analysis delays. Which strategy would best improve the efficiency of the log management process?

40

An organization uses a SIEM to correlate events. The SIEM receives Windows Security Event ID 4625 (failed login) and 4776 (credential validation). An analyst wants to detect a brute-force attack against a service account. Which correlation rule is most effective?

41

A risk manager is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

42

A security team is implementing a risk treatment plan for a high-risk vulnerability. The cost to fix the vulnerability is $100,000, but the expected loss if exploited is $1,000,000. The annual likelihood of exploitation is 2%. Which risk treatment strategy is most appropriate?

43

An analyst detects outbound traffic from a workstation to a known malicious IP address. The workstation is a developer machine with local admin rights. Which containment action should be taken first?

44

Which metric is used to measure the potential loss from a single occurrence of a risk?

45

Refer to the exhibit. The analyst sees this IDS alert. What is the most likely outcome if the target web application is vulnerable?

46

Refer to the exhibit. An analyst reviews the sshd log. What should be the immediate response?

47

Refer to the exhibit. During a security review, an analyst finds these firewall rules. Which recommendation should be made to reduce risk?

48

Which TWO of the following are key components of a risk assessment process?

49

Which THREE of the following are examples of detective controls?

50

Which THREE of the following are key elements of a security incident response plan?

51

A security analyst notices an increase in failed login attempts from a single IP address. What is the best immediate action?

52

During a vulnerability scan, a critical vulnerability is found on a publicly accessible web server. The server hosts a legacy application that cannot be patched immediately. What should the risk manager do first?

53

A company uses a SIEM to monitor security events. Recently, they are experiencing false positives from a new IDS rule. Which approach would best reduce false positives while maintaining detection?

54

An organization wants to perform a risk analysis for a new cloud application. Which quantitative metric is most commonly used to calculate risk?

55

A security team is conducting a penetration test. In which phase would they attempt to exploit vulnerabilities found during scanning?

56

An organization's risk register shows a high risk for phishing attacks. Which controls are considered detective controls for this risk?

57

A small business wants to identify vulnerabilities in its network. Which type of scan should they perform first to get an overview?

58

After a security incident, the CSIRT is conducting lessons learned. Which output is most directly used to update the risk management process?

59

A security analyst is reviewing logs and sees an alert for a known malware signature on an endpoint. Upon investigation, the file is identified as a false positive. What should the analyst do next?

60

Which TWO of the following are key components of a Business Impact Analysis (BIA)?

61

Which TWO of the following are examples of preventive controls for data leakage?

62

Which THREE of the following are common methods to identify risks in an organization?

63

Based on the exhibit, which conclusion is most likely?

64

Based on the exhibit, what is the most critical observation?

65

Based on the exhibit, which type of attack is most likely occurring?

66

A security team uses a risk matrix with likelihood (Low, Medium, High) and impact (Low, Medium, High). A vulnerability scan finds a buffer overflow in a customer-facing web application. The application is not critical but has high availability requirements. The likelihood of exploitation is considered Medium due to internal network segmentation. What is the risk level?

67

Which TWO of the following are key components of the risk identification process?

68

Which TWO of the following are effective methods for monitoring risk in real-time?

69

Which THREE of the following are key steps in performing a business impact analysis (BIA)?

70

You are the security analyst at a mid-sized retail company with 500 employees. The company recently experienced a ransomware attack that encrypted files on a file server. The infection was traced to a phishing email opened by an employee in accounting. The company has antivirus software, a firewall, and daily backups. After the incident, management wants to improve risk identification to prevent future attacks. Which of the following is the MOST effective first step to improve risk identification?

71

You work for a financial services firm that must comply with GDPR and PCI DSS. The company uses a cloud-based CRM to store customer data. The security team recently discovered that the CRM vendor had a data breach that exposed the company's customer records. An investigation shows that the breach occurred because the vendor did not have multi-factor authentication (MFA) enabled for administrative accounts. The contract with the vendor states that the vendor is responsible for security of their platform. However, your company had not conducted a risk assessment of the vendor before signing the contract. Management wants to improve risk identification for third-party relationships. Which of the following is the BEST long-term solution?

72

You are a security consultant for a hospital that is deploying a new IoT medical device system. The devices wirelessly transmit patient vital signs to a central server. The hospital is subject to HIPAA. The devices were developed by a startup and are not widely field-tested. The IT department wants to connect the devices to the existing network for real-time monitoring. The risk management team has identified potential threats including data interception, device tampering, and denial of service. They have no prior experience with IoT security. Which of the following risk treatment strategies is MOST appropriate given the high uncertainty?

73

A government agency requires all employees to use smart cards for network access. The security team notices a pattern of failed authentication attempts from a specific building after hours. The attempts occur every night at 2:00 AM for about 10 minutes. The building has a badge reader at the entrance. The team suspects an attacker is trying to brute-force smart card PINs. However, the building's door logs show no entry at that time. Which of the following should the security team do FIRST to identify the risk?

74

A small company uses a single firewall at the network perimeter. The security team receives alerts from an IDS but cannot correlate them with firewall logs because logs are stored on separate servers with different timestamps. The CEO wants to reduce false positives and improve incident response. What should the security team do first?

75

A financial institution uses a risk management framework based on ISO 31000. During a quarterly risk review, the risk manager identifies that the residual risk for a critical trading application remains high despite multiple controls. The application's risk score has not decreased after implementing two-factor authentication and encryption. The risk appetite statement says 'no high residual risk for systems processing transactions over $10M.' What should the risk manager do next?

76

Which TWO of the following are key indicators of a potential data exfiltration attempt?

77

Based on the exhibit, which type of attack is most likely being attempted?

78

A small financial services company has deployed a SIEM solution collecting logs from their firewall, web server, and domain controller. They also have an IDS monitoring the network perimeter. The security analyst receives an alert from the IDS indicating a potential exploit attempt against the web server from an external IP. The analyst checks the SIEM and sees that the firewall log shows the connection was allowed, but the web server log does not show any corresponding request. The domain controller logs show no abnormal activity. The company has a policy to immediately contain any confirmed threats. What should the analyst do first based on this information?

Practice all 78 Risk Identification, Monitoring and Analysis questions

Other SSCP exam domains

Network and Communications SecuritySystems and Application SecuritySecurity Operations and AdministrationIncident Response and RecoveryAccess ControlsCryptography

Frequently asked questions

What does the Risk Identification, Monitoring and Analysis domain cover on the SSCP exam?

The Risk Identification, Monitoring and Analysis domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.

How many Risk Identification, Monitoring and Analysis questions are in the SSCP question bank?

The Courseiva SSCP question bank contains 78 questions in the Risk Identification, Monitoring and Analysis domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Risk Identification, Monitoring and Analysis for SSCP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Risk Identification, Monitoring and Analysis questions for SSCP?

Yes — the session launcher on this page draws questions exclusively from the Risk Identification, Monitoring and Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SSCP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCISSPSY0-701