Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSSCPDomainsRisk Identification, Monitoring, and Analysis
SSCPFree — No Signup

Risk Identification, Monitoring, and Analysis

Practice SSCP Risk Identification, Monitoring, and Analysis questions with full explanations on every answer.

74questions

Start practicing

Risk Identification, Monitoring, and Analysis — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SSCP Domains

Access ControlsRisk Identification, Monitoring, and AnalysisIncident Response and RecoverySecurity Operations and AdministrationCryptographyNetwork and Communications SecuritySystems and Application SecurityRisk Identification, Monitoring and Analysis

Practice Risk Identification, Monitoring, and Analysis questions

10Q20Q30Q50Q

All SSCP Risk Identification, Monitoring, and Analysis questions (74)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst is reviewing logs and notices multiple failed login attempts for a user account, followed by a successful login from an unfamiliar IP address at 3:00 AM. Which type of risk is most directly indicated by this scenario?

2

In a qualitative risk analysis, a risk is assigned a probability of 'High' and an impact of 'Medium'. According to common probability/impact matrices, what is the overall risk rating?

3

An organization calculates the SLE for a server as $5,000 and the ARO as 0.2. What is the ALE?

4

During a vulnerability scan, a security analyst discovers that several workstations are missing critical security patches. The organization decides to implement a compensating control by restricting network access to these workstations until patches are applied. Which risk response strategy is being used?

5

Which type of IDS uses a baseline of normal behavior to detect anomalies?

6

A security team implements a SIEM solution to collect logs from firewalls, servers, and workstations. They create a correlation rule that triggers an alert when a single user logs in from more than three different geographic locations within one hour. This is an example of which detection method?

7

An organization uses User Behavior Analytics (UBA) to detect insider threats. Which of the following activities would most likely trigger an alert for a compromised account?

8

A vulnerability management program requires that critical vulnerabilities be remediated within 72 hours. A scanner identifies a critical vulnerability on a server, but after patching, the scanner still reports it as vulnerable. What is the most likely cause?

9

Which of the following is a vulnerability source explicitly based on publicly known flaws?

10

A company stores log files on a dedicated log server. To ensure log integrity, they implement a solution where logs are written to a WORM (Write Once, Read Many) device. Which property does this primarily protect?

11

After a security incident, the incident response team needs to analyze logs from multiple sources to reconstruct the timeline. The SIEM retains logs for 90 days, but the incident occurred 120 days ago. Which action should the organization have taken to ensure log availability?

12

An organization decides to implement CIS Benchmarks on all Windows servers. They choose Level 1 settings. What does Level 1 represent?

13

A security analyst is reviewing SIEM alerts and wants to identify potential data exfiltration. Which TWO of the following indicators are most relevant?

14

An organization is implementing a new vulnerability management program. The CISO wants to establish remediation SLAs based on risk severity. Which THREE of the following are commonly recommended SLAs?

15

A security manager is evaluating log sources for a SIEM implementation. Which THREE of the following are considered log types that should be included?

16

A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address against an administrative account. The SIEM has not generated an alert. Which configuration change would best detect this scenario?

17

During a qualitative risk analysis, an organization rates the likelihood of a flood as 'Low' and the impact as 'High'. Using a standard 3x3 risk matrix, what is the overall risk rating?

18

An organization is calculating the Annualized Loss Expectancy (ALE) for a server. The Asset Value (AV) is $50,000, the Exposure Factor (EF) is 40%, and the Annualized Rate of Occurrence (ARO) is 0.5. What is the Single Loss Expectancy (SLE) and ALE?

19

A company has implemented a new vulnerability scanner and the first scan reports 200 vulnerabilities. The security team needs to prioritize remediation. Which approach should they use first?

20

Which of the following is a technical threat source that could lead to a security breach?

21

A security analyst is tuning a SIEM to reduce false positives. Which of the following actions is most likely to reduce false positives while maintaining detection of real threats?

22

During a vulnerability scan, a tool reports a critical vulnerability on a web server. The system owner claims it is a false positive because the server is not accessible from the internet. However, the server is accessible from the internal network. What is the best course of action?

23

A company wants to implement a security baseline for its Windows servers. Which of the following frameworks is most commonly used for this purpose?

24

Which type of IDS monitors network traffic at a specific network segment and analyzes packets for malicious patterns?

25

An organization wants to detect insider threats by identifying abnormal user behavior. Which technology is best suited for this purpose?

26

A security manager needs to comply with PCI DSS requirement 11.2, which mandates quarterly vulnerability scans. The company uses an external Qualified Security Assessor (QSA) for the quarterly scans. However, the internal team also performs continuous scanning. Which of the following best describes the required scan frequency?

27

During a risk assessment, a company identifies that a legacy system cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk response strategy is most appropriate initially?

28

A security analyst is reviewing logs for signs of data exfiltration. Which TWO log sources would provide the most relevant evidence? (Choose TWO.)

29

A company is implementing a new SIEM. Which THREE factors are most important to ensure log integrity and usefulness for forensic investigations? (Choose THREE.)

30

Which TWO of the following are examples of vulnerability sources? (Choose TWO.)

31

A security analyst is reviewing logs from a SIEM and notices multiple failed login attempts for a privileged account from an IP address in a foreign country, followed by a successful login after hours. Which type of security monitoring tool would be most effective at detecting this pattern as anomalous behavior based on user baseline?

32

During a qualitative risk analysis, an organization assesses a threat of a data breach due to weak encryption. The likelihood is rated as 'Medium' and the impact as 'High'. According to a standard 3x3 risk matrix, what is the overall risk rating?

33

An organization experiences a ransomware attack that encrypts file servers. The annualized loss expectancy (ALE) for this risk is calculated as $150,000. The single loss expectancy (SLE) is $30,000. What is the annualized rate of occurrence (ARO)?

34

A security team identifies a vulnerability in a web application that allows SQL injection. Which risk response strategy involves implementing input validation and parameterized queries to reduce the risk to an acceptable level?

35

After implementing security controls, a risk assessment shows that a residual risk of data exfiltration remains. Which document should formally record this residual risk and the decision to accept it?

36

A company's vulnerability scanner reports a critical vulnerability in a third-party library. The remediation SLA for critical vulnerabilities is 48 hours. However, the patch is not yet available from the vendor. Which of the following is the most appropriate immediate action?

37

A security analyst is configuring a SIEM to detect data exfiltration. Which of the following correlation rules would best identify potential data exfiltration via DNS tunneling?

38

A security engineer is reviewing system logs and notices that the log file size has not changed for several days, despite high system activity. Which log management concern does this indicate?

39

Which of the following is a primary purpose of implementing a security baseline such as the CIS Benchmarks?

40

A vulnerability scan identifies a critical flaw in a web server. The server is currently in production and cannot be patched immediately due to compatibility issues. The risk response chosen is to implement a web application firewall (WAF) rule to block exploitation attempts. This is an example of which risk response?

41

A security analyst is tuning a SIEM and needs to reduce false positives from a rule that alerts on failed logins. The rule currently triggers on any single failed login. Which modification would best reduce false positives while still detecting brute-force attacks?

42

Which type of IDS uses a database of known attack patterns to identify malicious activity?

43

A company's security policy requires that all logs be stored in a write-once, read-many (WORM) format. What is the primary security objective of this requirement?

44

An organization decides to outsource its data center operations to a cloud provider. The cloud provider is responsible for physical security and hardware maintenance. This is an example of which risk response strategy?

45

A vulnerability scanner reports a medium-severity finding on a server. After investigation, the security team determines that the vulnerability is not exploitable due to existing compensating controls. How should this finding be classified in the vulnerability management process?

46

A security analyst is configuring a SIEM to detect potential insider threats. Which TWO of the following data sources would be most relevant for detecting an employee exfiltrating sensitive data via email?

47

During a risk assessment, a bank identifies the following threats: flood, phishing attack, hardware failure, and power outage. Which TWO of these are considered environmental threat sources?

48

A security team is implementing a vulnerability management program. According to industry best practices, which THREE of the following are essential components of a mature vulnerability management process?

49

During a qualitative risk analysis, an organization assigns a risk rating of 'High' for a specific threat. Which combination of factors most directly leads to this rating?

50

An organization's risk register lists a vulnerability with an annualized loss expectancy (ALE) of $50,000. The cost of implementing a mitigation control is $40,000 with an expected lifespan of 5 years. The control is expected to reduce the ALE by 80%. What is the net present value (NPV) of implementing this control over 5 years, assuming a discount rate of 5%? (Ignore residual risk for simplicity.)

51

A security analyst notices a large number of failed login attempts from a single IP address targeting multiple user accounts within a short time frame. Which type of detection method in a SIEM would most effectively identify this pattern?

52

Which of the following is a primary purpose of a security baseline, such as the CIS Benchmarks?

53

An organization is required to maintain audit logs for at least one year for compliance purposes. Which log management practice best ensures the integrity of these logs?

54

A vulnerability scan identifies a critical vulnerability with a CVSS score of 9.8. According to standard remediation SLAs, within what timeframe should this vulnerability typically be remediated?

55

Which of the following is a key advantage of using a behavior-based detection approach in a User and Entity Behavior Analytics (UEBA) system?

56

During a risk assessment, a team identifies that a legacy application cannot be patched due to vendor end-of-life. The business decides to continue using the application but implement compensating controls such as network segmentation and strict access controls. This risk response strategy is best classified as:

57

Which of the following is a common vulnerability source that would be documented in a risk register?

58

An organization uses a network-based intrusion detection system (NIDS). An analyst receives an alert for a known exploit signature. Which type of detection is the NIDS using?

59

A company is preparing for a PCI DSS assessment. According to PCI DSS requirements, how frequently must internal vulnerability scans be performed?

60

Which term describes the risk that remains after implementing risk mitigation controls?

61

Which TWO of the following are common techniques used in quantitative risk analysis?

62

A SIEM correlation rule triggers when an administrative account logs in after hours and subsequently performs a bulk export of a customer database. Which THREE threat types does this scenario most likely indicate?

63

Which TWO of the following are examples of technical threat sources that should be considered during risk identification?

64

An organization's web application experienced a data breach due to a SQL injection vulnerability. During the risk analysis phase, the security team calculated the SLE as $25,000 and the ARO as 0.5. What is the ALE?

65

A security analyst notices repeated failed login attempts from a single IP address targeting a domain controller. The SIEM alerts after 10 failed attempts within 5 minutes. Which detection type is most likely used?

66

During a risk assessment, a company identifies that a legacy system has a known CVE with a CVSS score of 9.8. The system is critical but cannot be patched immediately. The management decides to implement strict network segmentation and monitor the system continuously. This risk response is best described as:

67

A security analyst is reviewing logs and notices that an application log shows an error message indicating 'unhandled exception' followed by a stack trace. This log is most likely categorized as which type?

68

A vulnerability scanner identifies a high-severity vulnerability in a web server that is exposed to the internet. According to common remediation SLAs, what is the typical timeframe to remediate a critical vulnerability?

69

After implementing a new IDS, the security team receives numerous alerts about legitimate traffic being flagged as malicious. This phenomenon is known as:

70

A company's security policy requires that all servers be hardened according to CIS Level 1 benchmarks. During an audit, it is discovered that a server has password complexity settings that exceed Level 1 requirements. Which of the following is the most appropriate action?

71

A security analyst is configuring a SIEM to detect potential data exfiltration. Which TWO log sources are most critical for detecting large outbound data transfers?

72

A security team is implementing User Behavior Analytics (UBA) to detect insider threats. Which THREE types of activities would most likely indicate a compromised account?

73

An organization is developing a risk register. Which TWO elements are essential for each risk entry?

74

A vulnerability management team is scanning a network. Which THREE factors should be considered to minimize false positives?

Practice all 74 Risk Identification, Monitoring, and Analysis questions

Other SSCP exam domains

Access ControlsIncident Response and RecoverySecurity Operations and AdministrationCryptographyNetwork and Communications SecuritySystems and Application SecurityRisk Identification, Monitoring and Analysis

Frequently asked questions

What does the Risk Identification, Monitoring, and Analysis domain cover on the SSCP exam?

The Risk Identification, Monitoring, and Analysis domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.

How many Risk Identification, Monitoring, and Analysis questions are in the SSCP question bank?

The Courseiva SSCP question bank contains 74 questions in the Risk Identification, Monitoring, and Analysis domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Risk Identification, Monitoring, and Analysis for SSCP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Risk Identification, Monitoring, and Analysis questions for SSCP?

Yes — the session launcher on this page draws questions exclusively from the Risk Identification, Monitoring, and Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SSCP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCISSPSY0-701