Question 686 of 1,152
Security Program Management and OversightmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is Risk A, the internet-facing login page with active attack interest, because it combines public exposure with confirmed attacker behavior. In risk prioritization, the likelihood of exploitation often outweighs raw severity when an asset is already under active reconnaissance or credential-stuffing attempts, as the steady increase in automated logins signals a clear and present threat. This scenario tests your understanding of the Security+ SY0-701 objective on risk assessment, where you must prioritize risks based on active attack interest and exposure rather than relying solely on CVSS scores. A common trap is to fixate on severity labels—like medium versus low—while ignoring the reality that an internet-facing system under fire is far more likely to be breached than an internal share with no observed exploitation. Remember the mnemonic: “Exposure plus action beats severity and inaction.”

SY0-701 Security Program Management and Oversight Practice Question

This SY0-701 practice question tests your understanding of security program management and oversight. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A hospital's claims portal has two open risks. Risk A is an internet-facing login page with a low-severity software flaw, but monitoring shows a steady increase in automated login attempts. Risk B is an internal file share with a medium-severity patch gap, but only a small admin group can access it and no exploitation is observed. Leadership can fund only one remediation this month. Which risk should be prioritized first?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "first"

    Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Prioritize Risk A because it is exposed to the internet and already shows active attack interest.

Risk A should be prioritized because the internet-facing login page is exposed to the public attack surface, and the steady increase in automated login attempts indicates active reconnaissance or credential-stuffing attacks. Even though the software flaw is low severity, the combination of internet exposure and active attacker interest significantly elevates the likelihood of exploitation, making it a higher priority than an internal file share with no observed exploitation.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Prioritize Risk A because it is exposed to the internet and already shows active attack interest.

    Why this is correct

    Risk A has the higher overall business risk because exposure and observed attack activity raise the likelihood of exploitation. Even if the flaw is rated low severity, an internet-facing system is more likely to be targeted quickly and broadly. Prioritization should consider both impact and likelihood, not severity alone. Addressing the public login page first reduces the chance of a successful compromise across a high-value service.

    Clue confirmation

    The clue word "first" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Prioritize Risk B because a medium-severity flaw is always more important than a low-severity flaw.

    Why it's wrong here

    Severity alone does not determine priority. A medium-severity issue on a restricted internal share may present less immediate risk than an externally exposed system with active attack attempts. Risk decisions should weigh exposure, likelihood, and business impact together. This choice ignores those factors and overvalues the label on the vulnerability.

  • Accept Risk A because no confirmed compromise has occurred yet.

    Why it's wrong here

    Risk acceptance is appropriate only when leadership knowingly tolerates the remaining exposure after considering likelihood, impact, and cost. Here, active probing on an internet-facing application suggests the risk is not yet under control. Accepting it without remediation would be weak risk management and could leave a critical service exposed to attack.

  • Transfer Risk A to an insurer because public-facing exposure cannot be reduced.

    Why it's wrong here

    Insurance may help with financial loss, but it does not reduce the chance of compromise or protect the service itself. The issue needs operational remediation first, such as patching, hardening, or other mitigation. Transfer is not a substitute for handling a likely attack path on a public system.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates fixate on severity ratings (low vs. medium) without considering the risk equation, especially the critical factor of active attack interest and internet exposure, which the SY0-701 exam emphasizes in the context of threat intelligence and attack surface management.

Detailed technical explanation

How to think about this question

In risk management, the formula Risk = Likelihood × Impact is used; for Risk A, the likelihood is high due to internet exposure and automated login attempts (e.g., HTTP 401/403 responses or CAPTCHA triggers), while for Risk B, the likelihood is low because the internal file share is behind network segmentation (e.g., VLAN ACLs or firewall rules) and only a small admin group has access. Real-world scenarios like the 2021 Colonial Pipeline attack show that internet-facing systems with low-severity flaws can be entry points for ransomware if combined with credential stuffing or brute force, whereas internal patches can often be deferred if compensating controls (e.g., MFA, strict ACLs) are in place.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

Security Program Management and Oversight — This question tests Security Program Management and Oversight — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Prioritize Risk A because it is exposed to the internet and already shows active attack interest. — Risk A should be prioritized because the internet-facing login page is exposed to the public attack surface, and the steady increase in automated login attempts indicates active reconnaissance or credential-stuffing attacks. Even though the software flaw is low severity, the combination of internet exposure and active attacker interest significantly elevates the likelihood of exploitation, making it a higher priority than an internal file share with no observed exploitation.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "first". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.