Question 236 of 500
IT Risk IdentificationeasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is to document the risk and evaluate alternative mitigation options, including diversifying ISPs. This is correct because risk identification in the CRISC framework is about capturing the inherent risk and exploring controls before selecting a solution; the single-ISP dependency is a critical single point of failure that directly amplifies DoS attack risk, and simply adding server capacity is a costly absorption tactic that does not address the root vulnerability. On the CRISC exam, this tests your ability to distinguish between risk identification (documenting and evaluating options) and risk response (choosing a specific control), a common trap where candidates jump to a technical fix like blocking IPs or buying hardware instead of first performing a thorough risk analysis. A useful memory tip is “Document before you decide”—always capture the risk and evaluate alternatives, especially when a single point of failure like one ISP is present, as diversifying aligns with defense in depth.

CRISC IT Risk Identification Practice Question

This CRISC practice question tests your understanding of it risk identification. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A medium-sized e-commerce company recently experienced a denial-of-service (DoS) attack that took down its website for two hours. The incident response team quickly mitigated the attack by blocking the source IPs. In the aftermath, the risk manager is tasked with identifying risks to prevent recurrence. The company relies heavily on a single internet service provider (ISP) and has no DDoS protection service. The IT director suggests purchasing additional server capacity to absorb future attacks. The CEO is concerned about the cost. The risk team has identified that the likelihood of a similar attack is high based on recent industry trends, and the impact includes lost revenue and customer trust. What is the MOST effective risk identification action the risk team should take next?

Question 1easymultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Document the risk and evaluate alternative mitigation options, including diversifying ISPs.

Option D is correct because the risk team's primary role during risk identification is to document the risk and evaluate alternative mitigation options before committing to a specific solution. Diversifying ISPs addresses the single point of failure in the network architecture, which is a root cause of the DoS vulnerability, and aligns with the principle of defense in depth. Simply blocking source IPs is reactive, and the IT director's suggestion of adding server capacity is a costly and potentially ineffective absorption strategy against volumetric attacks.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Implement a web application firewall (WAF) to filter malicious traffic.

    Why it's wrong here

    WAF may not stop large volumetric DDoS.

  • Recommend purchasing DDoS protection from a cloud-based provider.

    Why it's wrong here

    This is a mitigation step, not identification.

  • Accept the risk because the cost of mitigation exceeds expected loss.

    Why it's wrong here

    Acceptance should come after thorough analysis.

  • Document the risk and evaluate alternative mitigation options, including diversifying ISPs.

    Why this is correct

    Proper documentation and evaluation are core to risk identification.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates confuse risk identification with risk treatment, selecting a specific solution (like a WAF or DDoS protection) instead of first documenting the risk and evaluating all possible options, which is the correct next step in the risk management process.

Detailed technical explanation

How to think about this question

Under the hood, a single ISP creates a single point of failure at the network edge; if the ISP's upstream bandwidth is saturated, no amount of server-side capacity can absorb the traffic. Diversifying ISPs with BGP multi-homing (RFC 4271) allows traffic to be rerouted if one link is attacked, and enables the use of RTBH (Remotely Triggered Black Hole) filtering to drop attack traffic closer to the source. Real-world scenarios, such as the 2016 Dyn DDoS attack, demonstrate that reliance on a single provider can amplify impact when the provider itself is the target.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CRISC practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CRISC practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CRISC question test?

IT Risk Identification — This question tests IT Risk Identification — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Document the risk and evaluate alternative mitigation options, including diversifying ISPs. — Option D is correct because the risk team's primary role during risk identification is to document the risk and evaluate alternative mitigation options before committing to a specific solution. Diversifying ISPs addresses the single point of failure in the network architecture, which is a root cause of the DoS vulnerability, and aligns with the principle of defense in depth. Simply blocking source IPs is reactive, and the IT director's suggestion of adding server capacity is a costly and potentially ineffective absorption strategy against volumetric attacks.

What should I do if I get this CRISC question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More CRISC practice questions

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CRISC practice question is part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CRISC exam.