Practice SSCP Risk Identification, Monitoring, and Analysis questions with full explanations on every answer.
Start practicing
Risk Identification, Monitoring, and Analysis — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst is reviewing logs and notices multiple failed login attempts for a user account, followed by a successful login from an unfamiliar IP address at 3:00 AM. Which type of risk is most directly indicated by this scenario?
2In a qualitative risk analysis, a risk is assigned a probability of 'High' and an impact of 'Medium'. According to common probability/impact matrices, what is the overall risk rating?
3An organization calculates the SLE for a server as $5,000 and the ARO as 0.2. What is the ALE?
4During a vulnerability scan, a security analyst discovers that several workstations are missing critical security patches. The organization decides to implement a compensating control by restricting network access to these workstations until patches are applied. Which risk response strategy is being used?
5Which type of IDS uses a baseline of normal behavior to detect anomalies?
6A security team implements a SIEM solution to collect logs from firewalls, servers, and workstations. They create a correlation rule that triggers an alert when a single user logs in from more than three different geographic locations within one hour. This is an example of which detection method?
7An organization uses User Behavior Analytics (UBA) to detect insider threats. Which of the following activities would most likely trigger an alert for a compromised account?
8A vulnerability management program requires that critical vulnerabilities be remediated within 72 hours. A scanner identifies a critical vulnerability on a server, but after patching, the scanner still reports it as vulnerable. What is the most likely cause?
9Which of the following is a vulnerability source explicitly based on publicly known flaws?
10A company stores log files on a dedicated log server. To ensure log integrity, they implement a solution where logs are written to a WORM (Write Once, Read Many) device. Which property does this primarily protect?
11After a security incident, the incident response team needs to analyze logs from multiple sources to reconstruct the timeline. The SIEM retains logs for 90 days, but the incident occurred 120 days ago. Which action should the organization have taken to ensure log availability?
12An organization decides to implement CIS Benchmarks on all Windows servers. They choose Level 1 settings. What does Level 1 represent?
13A security analyst is reviewing SIEM alerts and wants to identify potential data exfiltration. Which TWO of the following indicators are most relevant?
14An organization is implementing a new vulnerability management program. The CISO wants to establish remediation SLAs based on risk severity. Which THREE of the following are commonly recommended SLAs?
15A security manager is evaluating log sources for a SIEM implementation. Which THREE of the following are considered log types that should be included?
16A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address against an administrative account. The SIEM has not generated an alert. Which configuration change would best detect this scenario?
17During a qualitative risk analysis, an organization rates the likelihood of a flood as 'Low' and the impact as 'High'. Using a standard 3x3 risk matrix, what is the overall risk rating?
18An organization is calculating the Annualized Loss Expectancy (ALE) for a server. The Asset Value (AV) is $50,000, the Exposure Factor (EF) is 40%, and the Annualized Rate of Occurrence (ARO) is 0.5. What is the Single Loss Expectancy (SLE) and ALE?
19A company has implemented a new vulnerability scanner and the first scan reports 200 vulnerabilities. The security team needs to prioritize remediation. Which approach should they use first?
20Which of the following is a technical threat source that could lead to a security breach?
21A security analyst is tuning a SIEM to reduce false positives. Which of the following actions is most likely to reduce false positives while maintaining detection of real threats?
22During a vulnerability scan, a tool reports a critical vulnerability on a web server. The system owner claims it is a false positive because the server is not accessible from the internet. However, the server is accessible from the internal network. What is the best course of action?
23A company wants to implement a security baseline for its Windows servers. Which of the following frameworks is most commonly used for this purpose?
24Which type of IDS monitors network traffic at a specific network segment and analyzes packets for malicious patterns?
25An organization wants to detect insider threats by identifying abnormal user behavior. Which technology is best suited for this purpose?
26A security manager needs to comply with PCI DSS requirement 11.2, which mandates quarterly vulnerability scans. The company uses an external Qualified Security Assessor (QSA) for the quarterly scans. However, the internal team also performs continuous scanning. Which of the following best describes the required scan frequency?
27During a risk assessment, a company identifies that a legacy system cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk response strategy is most appropriate initially?
28A security analyst is reviewing logs for signs of data exfiltration. Which TWO log sources would provide the most relevant evidence? (Choose TWO.)
29A company is implementing a new SIEM. Which THREE factors are most important to ensure log integrity and usefulness for forensic investigations? (Choose THREE.)
30Which TWO of the following are examples of vulnerability sources? (Choose TWO.)
31A security analyst is reviewing logs from a SIEM and notices multiple failed login attempts for a privileged account from an IP address in a foreign country, followed by a successful login after hours. Which type of security monitoring tool would be most effective at detecting this pattern as anomalous behavior based on user baseline?
32During a qualitative risk analysis, an organization assesses a threat of a data breach due to weak encryption. The likelihood is rated as 'Medium' and the impact as 'High'. According to a standard 3x3 risk matrix, what is the overall risk rating?
33An organization experiences a ransomware attack that encrypts file servers. The annualized loss expectancy (ALE) for this risk is calculated as $150,000. The single loss expectancy (SLE) is $30,000. What is the annualized rate of occurrence (ARO)?
34A security team identifies a vulnerability in a web application that allows SQL injection. Which risk response strategy involves implementing input validation and parameterized queries to reduce the risk to an acceptable level?
35After implementing security controls, a risk assessment shows that a residual risk of data exfiltration remains. Which document should formally record this residual risk and the decision to accept it?
36A company's vulnerability scanner reports a critical vulnerability in a third-party library. The remediation SLA for critical vulnerabilities is 48 hours. However, the patch is not yet available from the vendor. Which of the following is the most appropriate immediate action?
37A security analyst is configuring a SIEM to detect data exfiltration. Which of the following correlation rules would best identify potential data exfiltration via DNS tunneling?
38A security engineer is reviewing system logs and notices that the log file size has not changed for several days, despite high system activity. Which log management concern does this indicate?
39Which of the following is a primary purpose of implementing a security baseline such as the CIS Benchmarks?
40A vulnerability scan identifies a critical flaw in a web server. The server is currently in production and cannot be patched immediately due to compatibility issues. The risk response chosen is to implement a web application firewall (WAF) rule to block exploitation attempts. This is an example of which risk response?
41A security analyst is tuning a SIEM and needs to reduce false positives from a rule that alerts on failed logins. The rule currently triggers on any single failed login. Which modification would best reduce false positives while still detecting brute-force attacks?
42Which type of IDS uses a database of known attack patterns to identify malicious activity?
43A company's security policy requires that all logs be stored in a write-once, read-many (WORM) format. What is the primary security objective of this requirement?
44An organization decides to outsource its data center operations to a cloud provider. The cloud provider is responsible for physical security and hardware maintenance. This is an example of which risk response strategy?
45A vulnerability scanner reports a medium-severity finding on a server. After investigation, the security team determines that the vulnerability is not exploitable due to existing compensating controls. How should this finding be classified in the vulnerability management process?
46A security analyst is configuring a SIEM to detect potential insider threats. Which TWO of the following data sources would be most relevant for detecting an employee exfiltrating sensitive data via email?
47During a risk assessment, a bank identifies the following threats: flood, phishing attack, hardware failure, and power outage. Which TWO of these are considered environmental threat sources?
48A security team is implementing a vulnerability management program. According to industry best practices, which THREE of the following are essential components of a mature vulnerability management process?
49During a qualitative risk analysis, an organization assigns a risk rating of 'High' for a specific threat. Which combination of factors most directly leads to this rating?
50An organization's risk register lists a vulnerability with an annualized loss expectancy (ALE) of $50,000. The cost of implementing a mitigation control is $40,000 with an expected lifespan of 5 years. The control is expected to reduce the ALE by 80%. What is the net present value (NPV) of implementing this control over 5 years, assuming a discount rate of 5%? (Ignore residual risk for simplicity.)
51A security analyst notices a large number of failed login attempts from a single IP address targeting multiple user accounts within a short time frame. Which type of detection method in a SIEM would most effectively identify this pattern?
52Which of the following is a primary purpose of a security baseline, such as the CIS Benchmarks?
53An organization is required to maintain audit logs for at least one year for compliance purposes. Which log management practice best ensures the integrity of these logs?
54A vulnerability scan identifies a critical vulnerability with a CVSS score of 9.8. According to standard remediation SLAs, within what timeframe should this vulnerability typically be remediated?
55Which of the following is a key advantage of using a behavior-based detection approach in a User and Entity Behavior Analytics (UEBA) system?
56During a risk assessment, a team identifies that a legacy application cannot be patched due to vendor end-of-life. The business decides to continue using the application but implement compensating controls such as network segmentation and strict access controls. This risk response strategy is best classified as:
57Which of the following is a common vulnerability source that would be documented in a risk register?
58An organization uses a network-based intrusion detection system (NIDS). An analyst receives an alert for a known exploit signature. Which type of detection is the NIDS using?
59A company is preparing for a PCI DSS assessment. According to PCI DSS requirements, how frequently must internal vulnerability scans be performed?
60Which term describes the risk that remains after implementing risk mitigation controls?
61Which TWO of the following are common techniques used in quantitative risk analysis?
62A SIEM correlation rule triggers when an administrative account logs in after hours and subsequently performs a bulk export of a customer database. Which THREE threat types does this scenario most likely indicate?
63Which TWO of the following are examples of technical threat sources that should be considered during risk identification?
64An organization's web application experienced a data breach due to a SQL injection vulnerability. During the risk analysis phase, the security team calculated the SLE as $25,000 and the ARO as 0.5. What is the ALE?
65A security analyst notices repeated failed login attempts from a single IP address targeting a domain controller. The SIEM alerts after 10 failed attempts within 5 minutes. Which detection type is most likely used?
66During a risk assessment, a company identifies that a legacy system has a known CVE with a CVSS score of 9.8. The system is critical but cannot be patched immediately. The management decides to implement strict network segmentation and monitor the system continuously. This risk response is best described as:
67A security analyst is reviewing logs and notices that an application log shows an error message indicating 'unhandled exception' followed by a stack trace. This log is most likely categorized as which type?
68A vulnerability scanner identifies a high-severity vulnerability in a web server that is exposed to the internet. According to common remediation SLAs, what is the typical timeframe to remediate a critical vulnerability?
69After implementing a new IDS, the security team receives numerous alerts about legitimate traffic being flagged as malicious. This phenomenon is known as:
70A company's security policy requires that all servers be hardened according to CIS Level 1 benchmarks. During an audit, it is discovered that a server has password complexity settings that exceed Level 1 requirements. Which of the following is the most appropriate action?
71A security analyst is configuring a SIEM to detect potential data exfiltration. Which TWO log sources are most critical for detecting large outbound data transfers?
72A security team is implementing User Behavior Analytics (UBA) to detect insider threats. Which THREE types of activities would most likely indicate a compromised account?
73An organization is developing a risk register. Which TWO elements are essential for each risk entry?
74A vulnerability management team is scanning a network. Which THREE factors should be considered to minimize false positives?
The Risk Identification, Monitoring, and Analysis domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.
The Courseiva SSCP question bank contains 74 questions in the Risk Identification, Monitoring, and Analysis domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Risk Identification, Monitoring, and Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included