Practice SSCP Risk Identification, Monitoring and Analysis questions with full explanations on every answer.
Start practicing
Risk Identification, Monitoring and Analysis — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst notices repeated failed login attempts from a single IP address on the VPN gateway. The analyst adjusts the threshold for account lockout and enables geo-ip blocking. This activity is part of which risk management process?
2During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?
3A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?
4An organization wants to identify risks related to a new cloud-based customer relationship management (CRM) system. Which approach would best identify threats and vulnerabilities specific to this system?
5After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?
6A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?
7A security team discovers that an employee's credentials were used to access the HR database from an unrecognized IP address in a foreign country. The employee is currently in the office. Which risk identification technique is most directly responsible for detecting this anomaly?
8During a risk assessment, the team identifies that a critical database server is not included in the backup schedule. Which risk term best describes this condition?
9Which TWO of the following are primary purposes of a risk register?
10Which THREE of the following are common techniques for identifying risks?
11Which TWO of the following are examples of key risk indicators (KRIs)?
12Refer to the exhibit. A security analyst reviews these logs from a server. What immediate risk is most indicated by this log pattern?
13Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. Which risk is most directly introduced by this policy?
14You are the security analyst for a mid-sized e-commerce company that processes credit card payments. The company uses a legacy payment application on a Windows Server 2012 R2 system, which is scheduled for decommission in six months. The server is isolated in a separate VLAN with strict firewall rules allowing only outbound HTTPS to the payment processor and inbound management from a jump box on a different subnet. During a routine vulnerability scan, you discover that the server is missing over 50 critical patches, including one for a remote code execution vulnerability (CVE-2023-XXXX) that is being actively exploited in the wild. The server cannot be patched because the vendor stopped support and patches are not available. The company's risk appetite is low due to PCI DSS requirements. You need to recommend a course of action that balances risk reduction with business continuity. What should you do?
15You are a risk analyst at a healthcare organization. The organization recently deployed a new electronic health records (EHR) system. During the first month of operation, the IT helpdesk received multiple reports from doctors that the system becomes unresponsive for 10-15 seconds several times a day. The EHR vendor attributes this to insufficient database connection pooling, but the organization's system administrator notes that the database server's CPU and memory utilization never exceed 30%. The organization has a risk management policy that requires any system with availability <99.5% to be treated as a high risk. Based on initial data, the system has been unavailable for about 0.1% of the time (excluding planned maintenance). However, doctors report that the brief unresponsiveness is causing frustration and potential misdiagnosis due to interrupted workflows. You need to recommend a risk treatment approach. What should you do?
16Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.
17Drag and drop the steps for properly disposing of a hard drive containing sensitive data into the correct order.
18Match each security control type to its example.
19Match each security policy type to its purpose.
20A security analyst notices a sudden increase in failed login attempts from a single IP address across multiple user accounts. Which risk response strategy is most appropriate to implement immediately?
21During a quantitative risk analysis, the asset value is $500,000, the exposure factor is 40%, and the annual rate of occurrence is 0.5. What is the annualized loss expectancy (ALE)?
22A company is implementing a risk monitoring program. Which of the following is the best key performance indicator (KPI) to measure the effectiveness of the vulnerability management process?
23A system administrator receives an alert from the SIEM indicating a possible brute-force attack on a server. The logs show 100 failed logins in 2 minutes from a single source. Which of the following is the best immediate action to verify and respond?
24In the context of risk assessment, which of the following best describes a vulnerability?
25A security team is conducting a qualitative risk assessment for a new cloud application. They want to prioritize risks based on likelihood and impact. Which method should they use to combine these factors?
26An organization has implemented a SIEM solution and wants to reduce false positives. Which of the following is the most effective approach?
27Which of the following is the primary purpose of a risk register?
28A company's risk management policy states that all risks with a residual risk score of 8 or higher (on a scale of 1-10) must be treated. A risk is identified with an inherent risk score of 9, and after applying controls, the residual risk score is 7. What is the appropriate action?
29Which TWO of the following are key components of a Security Information and Event Management (SIEM) system? (Select two.)
30Which THREE of the following are valid risk treatment options according to ISO 31000? (Select three.)
31Which THREE of the following are common methods for identifying risks? (Select three.)
32Given the exhibit, what is the most likely conclusion?
33Based on the exhibit, what is the most appropriate immediate action?
34A security analyst reviews the exhibit. The internal IP 10.0.0.1 is a web server, and 203.0.113.5 is an external IP. What is the most likely issue?
35A security analyst notices repeated failed login attempts from a single IP address within a short time window. Which control should be implemented to automatically mitigate this behavior?
36A company has deployed an intrusion detection system (IDS) that generates numerous false positives. Which approach would best reduce false positives while maintaining detection capability?
37During a risk assessment, a team identifies that the annualized loss expectancy (ALE) for a critical asset is $50,000. A proposed control costs $15,000 per year and will reduce the annualized rate of occurrence (ARO) from 5 to 1. The single loss expectancy (SLE) is unchanged at $10,000. What is the net benefit of implementing the control?
38A security analyst is reviewing vulnerability scan results and finds a critical vulnerability on a web server. The patch is available but requires a reboot. What should the analyst do first?
39A company's log management solution is overwhelmed by high-volume logs from network devices, causing storage and analysis delays. Which strategy would best improve the efficiency of the log management process?
40An organization uses a SIEM to correlate events. The SIEM receives Windows Security Event ID 4625 (failed login) and 4776 (credential validation). An analyst wants to detect a brute-force attack against a service account. Which correlation rule is most effective?
41A risk manager is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?
42A security team is implementing a risk treatment plan for a high-risk vulnerability. The cost to fix the vulnerability is $100,000, but the expected loss if exploited is $1,000,000. The annual likelihood of exploitation is 2%. Which risk treatment strategy is most appropriate?
43An analyst detects outbound traffic from a workstation to a known malicious IP address. The workstation is a developer machine with local admin rights. Which containment action should be taken first?
44Which metric is used to measure the potential loss from a single occurrence of a risk?
45Refer to the exhibit. The analyst sees this IDS alert. What is the most likely outcome if the target web application is vulnerable?
46Refer to the exhibit. An analyst reviews the sshd log. What should be the immediate response?
47Refer to the exhibit. During a security review, an analyst finds these firewall rules. Which recommendation should be made to reduce risk?
48Which TWO of the following are key components of a risk assessment process?
49Which THREE of the following are examples of detective controls?
50Which THREE of the following are key elements of a security incident response plan?
51A security analyst notices an increase in failed login attempts from a single IP address. What is the best immediate action?
52During a vulnerability scan, a critical vulnerability is found on a publicly accessible web server. The server hosts a legacy application that cannot be patched immediately. What should the risk manager do first?
53A company uses a SIEM to monitor security events. Recently, they are experiencing false positives from a new IDS rule. Which approach would best reduce false positives while maintaining detection?
54An organization wants to perform a risk analysis for a new cloud application. Which quantitative metric is most commonly used to calculate risk?
55A security team is conducting a penetration test. In which phase would they attempt to exploit vulnerabilities found during scanning?
56An organization's risk register shows a high risk for phishing attacks. Which controls are considered detective controls for this risk?
57A small business wants to identify vulnerabilities in its network. Which type of scan should they perform first to get an overview?
58After a security incident, the CSIRT is conducting lessons learned. Which output is most directly used to update the risk management process?
59A security analyst is reviewing logs and sees an alert for a known malware signature on an endpoint. Upon investigation, the file is identified as a false positive. What should the analyst do next?
60Which TWO of the following are key components of a Business Impact Analysis (BIA)?
61Which TWO of the following are examples of preventive controls for data leakage?
62Which THREE of the following are common methods to identify risks in an organization?
63Based on the exhibit, which conclusion is most likely?
64Based on the exhibit, what is the most critical observation?
65Based on the exhibit, which type of attack is most likely occurring?
66A security team uses a risk matrix with likelihood (Low, Medium, High) and impact (Low, Medium, High). A vulnerability scan finds a buffer overflow in a customer-facing web application. The application is not critical but has high availability requirements. The likelihood of exploitation is considered Medium due to internal network segmentation. What is the risk level?
67Which TWO of the following are key components of the risk identification process?
68Which TWO of the following are effective methods for monitoring risk in real-time?
69Which THREE of the following are key steps in performing a business impact analysis (BIA)?
70You are the security analyst at a mid-sized retail company with 500 employees. The company recently experienced a ransomware attack that encrypted files on a file server. The infection was traced to a phishing email opened by an employee in accounting. The company has antivirus software, a firewall, and daily backups. After the incident, management wants to improve risk identification to prevent future attacks. Which of the following is the MOST effective first step to improve risk identification?
71You work for a financial services firm that must comply with GDPR and PCI DSS. The company uses a cloud-based CRM to store customer data. The security team recently discovered that the CRM vendor had a data breach that exposed the company's customer records. An investigation shows that the breach occurred because the vendor did not have multi-factor authentication (MFA) enabled for administrative accounts. The contract with the vendor states that the vendor is responsible for security of their platform. However, your company had not conducted a risk assessment of the vendor before signing the contract. Management wants to improve risk identification for third-party relationships. Which of the following is the BEST long-term solution?
72You are a security consultant for a hospital that is deploying a new IoT medical device system. The devices wirelessly transmit patient vital signs to a central server. The hospital is subject to HIPAA. The devices were developed by a startup and are not widely field-tested. The IT department wants to connect the devices to the existing network for real-time monitoring. The risk management team has identified potential threats including data interception, device tampering, and denial of service. They have no prior experience with IoT security. Which of the following risk treatment strategies is MOST appropriate given the high uncertainty?
73A government agency requires all employees to use smart cards for network access. The security team notices a pattern of failed authentication attempts from a specific building after hours. The attempts occur every night at 2:00 AM for about 10 minutes. The building has a badge reader at the entrance. The team suspects an attacker is trying to brute-force smart card PINs. However, the building's door logs show no entry at that time. Which of the following should the security team do FIRST to identify the risk?
74A small company uses a single firewall at the network perimeter. The security team receives alerts from an IDS but cannot correlate them with firewall logs because logs are stored on separate servers with different timestamps. The CEO wants to reduce false positives and improve incident response. What should the security team do first?
75A financial institution uses a risk management framework based on ISO 31000. During a quarterly risk review, the risk manager identifies that the residual risk for a critical trading application remains high despite multiple controls. The application's risk score has not decreased after implementing two-factor authentication and encryption. The risk appetite statement says 'no high residual risk for systems processing transactions over $10M.' What should the risk manager do next?
76Which TWO of the following are key indicators of a potential data exfiltration attempt?
77Based on the exhibit, which type of attack is most likely being attempted?
78A small financial services company has deployed a SIEM solution collecting logs from their firewall, web server, and domain controller. They also have an IDS monitoring the network perimeter. The security analyst receives an alert from the IDS indicating a potential exploit attempt against the web server from an external IP. The analyst checks the SIEM and sees that the firewall log shows the connection was allowed, but the web server log does not show any corresponding request. The domain controller logs show no abnormal activity. The company has a policy to immediately contain any confirmed threats. What should the analyst do first based on this information?
The Risk Identification, Monitoring and Analysis domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.
The Courseiva SSCP question bank contains 78 questions in the Risk Identification, Monitoring and Analysis domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Risk Identification, Monitoring and Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included