CCNA Crisc It Security Questions

75 of 105 questions · Page 1/2 · Crisc It Security topic · Answers revealed

1
MCQmedium

A manufacturing company is integrating its industrial control systems (ICS) with the corporate IT network to enable real-time production monitoring. Which risk is most directly introduced by this convergence?

A.Higher licensing costs for industrial software
B.Expanded attack path from IT to OT systems
C.Increased complexity of data analytics
D.Reduced operational efficiency due to network latency
AnswerB

Correct. IT/OT convergence creates new attack vectors that can compromise safety-critical systems.

Why this answer

Connecting OT networks to IT networks expands the attack surface, allowing threats from the corporate network to reach ICS/SCADA systems, which were previously isolated.

2
Multi-Selecthard

A financial services firm is migrating critical applications to a public cloud. The architecture review board (ARB) is evaluating the solution architecture. Which THREE risks should the ARB prioritize for review?

Select 3 answers
A.Vendor lock-in due to proprietary services
B.Energy consumption of cloud data centers
C.Network bandwidth limitations
D.Shared responsibility model gaps
E.Data sovereignty compliance
AnswersA, D, E

Strategic risk affecting future flexibility and costs.

Why this answer

Data sovereignty (regulatory), shared responsibility model (security gaps), and vendor lock-in (strategic) are key cloud risks that the ARB should assess before implementation.

3
MCQmedium

An organization is designing an IT risk management programme. Which of the following is the most critical component to ensure consistent identification and assessment of risks across the enterprise?

A.Risk assessment methodology
B.Risk treatment process
C.Risk management policy
D.Risk register
AnswerA

A methodology provides a repeatable process for consistent risk identification and assessment.

Why this answer

A standardized risk assessment methodology is essential for consistent identification and assessment of risks across the enterprise.

4
MCQhard

A risk manager is evaluating the potential impact of quantum computing on the organization's encryption infrastructure. The organization uses RSA-2048 for key exchanges and digital signatures. According to current quantum computing projections, what is the MOST urgent risk management action to take?

A.Immediately replace all RSA-2048 keys with symmetric encryption
B.Begin a cryptographic inventory and develop a migration plan to post-quantum cryptography
C.Purchase cyber insurance to cover potential losses from quantum attacks
D.Increase the RSA key length to 4096 bits
AnswerB

Starting the inventory and planning is essential to prepare for the transition before quantum advantage is achieved.

Why this answer

Quantum computers capable of breaking RSA-2048 are not imminent but expected within 10-20 years. The most urgent action is to start planning for post-quantum cryptography migration, as it requires long lead times for assessment and implementation.

5
MCQeasy

Which of the following is a key component of an IT risk management programme design?

A.Incident response playbooks
B.Risk assessment methodology
C.Vendor security assessment reports
D.Network topology diagrams
AnswerB

The methodology is essential for consistent risk evaluation.

Why this answer

A risk assessment methodology defines the process for identifying, analyzing, and evaluating risks, which is a core component of any risk management programme.

6
MCQeasy

Which of the following is a primary goal of the 'Protect' function in the NIST Cybersecurity Framework?

A.Develop and implement appropriate activities to identify the occurrence of a cybersecurity event
B.Develop and implement appropriate safeguards to ensure delivery of critical services
C.Develop and implement appropriate activities to take action regarding a detected cybersecurity event
D.Develop and implement appropriate activities to maintain plans for resilience
AnswerB

Protect includes access control, awareness training, data security, etc.

Why this answer

The Protect function focuses on implementing safeguards to limit or contain the impact of a potential cybersecurity event.

7
MCQeasy

Which component of the NIST Cybersecurity Framework is primarily concerned with developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services?

A.Detect
B.Identify
C.Recover
D.Protect
AnswerD

Correct. Protect develops and implements safeguards.

Why this answer

The Protect function in NIST CSF outlines safeguards to manage cybersecurity risk and ensure service delivery.

8
MCQhard

The risk committee is reviewing a cyber risk quantification report that uses the FAIR model. The report estimates the annualized loss expectancy (ALE) for a ransomware attack as $2.5 million. The committee asks the risk manager to explain the key components used to derive this figure. Which of the following is the MOST important factor in the FAIR model for calculating ALE?

A.Threat intelligence reports on ransomware gangs
B.Vulnerability severity scores (CVSS)
C.Historical loss data from industry benchmarks
D.Annualized rate of occurrence (ARO) and single loss expectancy (SLE)
AnswerD

FAIR's ALE is derived from ARO (frequency) and SLE (impact). Both are critical, but ARO is often the more variable input.

Why this answer

FAIR model calculates ALE by multiplying probable frequency (annualized rate of occurrence) with probable loss magnitude (financial impact per incident). Both are essential, but the frequency estimate often has higher uncertainty and drives the overall ALE.

9
MCQmedium

An organization is deploying a large number of IoT sensors in a smart building project. The sensors are from multiple vendors and some have limited firmware update capabilities. Which of the following risks should be the PRIMARY concern for the risk manager?

A.Data sovereignty of sensor data stored in the cloud
B.Inability to patch vulnerabilities in legacy IoT devices
C.Interoperability issues between different sensor protocols
D.High energy consumption of sensors
AnswerB

Unpatchable devices pose a persistent security risk that cannot be easily mitigated.

Why this answer

IoT devices with limited firmware update capabilities create a long-term vulnerability, as they cannot be patched against newly discovered flaws. This expands the attack surface and increases risk over time.

10
MCQhard

A financial institution is implementing a cloud-based data analytics platform. The data includes personally identifiable information (PII) of customers in multiple jurisdictions. Which of the following is the MOST critical risk consideration?

A.Vendor lock-in due to proprietary APIs
B.Shared responsibility model gaps
C.Data sovereignty and compliance with local regulations
D.Multi-tenancy isolation risks
AnswerC

Non-compliance can result in significant fines and legal penalties.

Why this answer

The most critical risk is data sovereignty and compliance with local regulations because PII from multiple jurisdictions is subject to varying legal requirements (e.g., GDPR in Europe, CCPA in California, LGPD in Brazil). A cloud-based analytics platform processes and stores this data, and failure to comply can result in severe fines, legal action, and reputational damage. Unlike technical risks like vendor lock-in or multi-tenancy, non-compliance is a direct regulatory and business risk that cannot be mitigated by standard cloud controls alone.

Exam trap

The trap here is that candidates often focus on technical risks like shared responsibility or multi-tenancy, but CRISC emphasizes that regulatory compliance (especially with PII across jurisdictions) is the highest-priority risk because it carries direct legal and financial consequences that cannot be overridden by technical controls.

How to eliminate wrong answers

Option A is wrong because vendor lock-in due to proprietary APIs is a strategic risk, not the most critical when PII and regulatory compliance are at stake; it can be mitigated through standard API abstraction or multi-cloud strategies. Option B is wrong because shared responsibility model gaps are important but typically address security controls (e.g., encryption, access management) rather than the fundamental legal obligation to store data within specific geographic boundaries. Option D is wrong because multi-tenancy isolation risks are a security concern but are secondary to the primary risk of violating data residency laws, which can lead to immediate regulatory penalties.

11
MCQhard

An energy company is integrating its IT network with OT systems for real-time monitoring. The risk manager is assessing the expanded attack surface. Which risk should be given the HIGHEST priority due to its potential for physical consequences?

A.Increased number of malware infections
B.Unauthorized access to corporate financial systems
C.Manipulation of operational parameters leading to equipment damage
D.Denial of service affecting IT services
AnswerC

This can result in physical damage, safety incidents, and environmental harm, making it the highest priority.

Why this answer

In OT environments, the highest priority risk involves safety implications and physical consequences, such as an attacker manipulating operational parameters to cause equipment damage or safety incidents.

12
MCQmedium

A company is implementing COBIT 2019 and wants to ensure that risk management activities are aligned with business objectives. Which governance objective is primarily responsible for evaluating, directing, and monitoring risk management?

A.EDM01 — Ensure Governance Framework Setting and Maintenance
B.EDM04 — Ensure Resource Optimization
C.EDM02 — Ensure Benefits Delivery
D.EDM03 — Ensure Risk Optimization
AnswerD

EDM03 is specifically designed to evaluate, direct, and monitor risk management.

Why this answer

COBIT 2019 defines EDM03 (Ensure Risk Optimization) as the governance objective that covers evaluating, directing, and monitoring risk management to optimize risk exposure.

13
MCQmedium

A financial institution is adopting AI for credit scoring. The model is currently a black box and requires explainability for regulatory compliance. Which risk is MOST critical to address?

A.Model bias
B.Adversarial attacks
C.Lack of explainability
D.Data privacy in training
AnswerC

Explainability is required by regulations for credit decisions; lack thereof can lead to non-compliance.

Why this answer

Regulated decisions require explainability. If the AI model cannot provide explanations, the institution risks regulatory non-compliance and potential legal challenges.

14
Multi-Selecthard

An enterprise is migrating to a public cloud environment. Which THREE of the following are critical cloud-specific risk considerations?

Select 3 answers
A.Multi-tenancy isolation failures
B.On-premises network latency
C.Data sovereignty and legal jurisdiction
D.Shared responsibility model gaps
E.Legacy system compatibility
AnswersA, C, D

Improper isolation can lead to data leakage between tenants.

Why this answer

Cloud-specific risks include data sovereignty, multi-tenancy isolation, and shared responsibility model gaps. Vendor lock-in is also common but not always considered 'critical' for all migrations.

15
MCQmedium

An organization is adopting machine learning for credit scoring decisions. Which of the following risks is MOST critical from a regulatory compliance perspective?

A.Model bias leading to unfair outcomes
B.Data privacy during model training
C.Adversarial attacks on the model
D.Lack of model explainability for automated decisions
AnswerD

Many regulations require explanations for automated credit decisions.

Why this answer

Regulatory frameworks like GDPR and the EU AI Act emphasize the right to explanation for automated decisions. Without model explainability, the organization cannot demonstrate compliance with transparency requirements, making it the most critical risk from a regulatory compliance perspective.

Exam trap

Cisco often tests the distinction between operational risks (like bias or adversarial attacks) and regulatory compliance risks, where explainability is the primary legal requirement for automated decision systems.

How to eliminate wrong answers

Option A is wrong because while model bias is a significant ethical and regulatory concern, it is often a subset of the broader explainability issue; regulators primarily mandate that decisions be explainable to detect and mitigate bias. Option B is wrong because data privacy during model training is important but is typically addressed by data protection impact assessments and anonymization techniques, not the core compliance requirement for automated decision systems. Option C is wrong because adversarial attacks are a security risk that can affect model integrity, but they are not directly tied to regulatory compliance requirements for transparency and accountability in automated credit scoring.

16
Multi-Selectmedium

Which THREE of the following are typical exclusions in a cyber insurance policy?

Select 3 answers
A.Losses due to power outages without malicious intent
B.Intentional acts by the insured
C.Ransomware payments
D.Acts of war or terrorism
E.Social engineering fraud
AnswersA, B, D

Non-malicious infrastructure failures are typically excluded.

Why this answer

Common exclusions include acts of war, intentional acts by the insured, and infrastructure failure without malicious intent. Some policies also exclude social engineering.

17
MCQmedium

A company is migrating critical applications to the cloud. The risk manager is assessing the shared responsibility model. Which risk is the customer typically responsible for?

A.Network infrastructure maintenance
B.Physical security of data centers
C.Data classification and access control
D.Hypervisor security
AnswerC

The customer must manage data classification and who has access to it.

Why this answer

According to the shared responsibility model, the customer is responsible for data, access management, and application-level security.

18
MCQhard

A power utility is required to comply with NERC CIP standards. Which of the following is a primary objective of these standards?

A.Standardize industrial control protocols
B.Reduce energy consumption
C.Ensure interoperability between IT and OT systems
D.Protect the reliability of the bulk electric system
AnswerD

NERC CIP focuses on reliability and security of the electric grid.

Why this answer

NERC CIP standards aim to protect the reliability of the bulk electric system by securing critical cyber assets.

19
MCQeasy

Which of the following is a common exclusion in cyber insurance policies that a risk manager should be aware of?

A.Business interruption
B.Ransomware attacks
C.Social engineering fraud
D.Acts of war
AnswerD

Correct. Acts of war are commonly excluded.

Why this answer

Cyber insurance policies often exclude acts of war, including state-sponsored cyber attacks. This is a critical exclusion that can leave organizations unprotected against nation-state threats.

20
Multi-Selectmedium

Which THREE of the following are key considerations when evaluating cyber insurance coverage? (Select three.)

Select 3 answers
A.Exclusions for acts of war or state-sponsored attacks
B.Incident response prerequisites such as mandatory use of approved vendors
C.Coverage scope for different incident types
D.Company's stock price volatility
E.Office location and building security
AnswersA, B, C

Many policies exclude nation-state attacks, which is a significant gap.

Why this answer

Cyber insurance policies have specific coverage scopes, exclusions (e.g., war, negligence), and prerequisites (e.g., multi-factor authentication). Premium factors like security controls also affect cost.

21
MCQhard

An organization uses AI/ML for credit scoring decisions. The risk manager is concerned about regulatory compliance if the model cannot explain its decisions. Which AI risk is most directly addressed by requiring explainability?

A.Data privacy in AI training
B.Vendor lock-in
C.Adversarial attacks
D.Model bias
AnswerD

Explainability helps identify and mitigate bias in AI decisions.

Why this answer

Requiring explainability in an AI/ML credit scoring model directly addresses model bias because it forces the model to reveal which input features (e.g., income, zip code) drive its decisions. Without explainability, the organization cannot detect or prove that the model is not discriminating against protected groups, violating regulations like the Equal Credit Opportunity Act (ECOA) or GDPR's right to explanation. Explainability is the primary technical control to audit and mitigate bias in automated decision-making.

Exam trap

The trap here is that candidates confuse 'model bias' with 'data privacy' or 'adversarial attacks,' but the question specifically ties explainability to regulatory compliance, which is fundamentally about detecting and proving fairness (bias), not about data protection or input manipulation.

How to eliminate wrong answers

Option A is wrong because data privacy in AI training concerns how personal data is collected, stored, and used during model training (e.g., GDPR Article 5), not the model's ability to explain its outputs. Option B is wrong because vendor lock-in refers to dependency on a single vendor's proprietary platform or tools, which is unrelated to the model's interpretability or regulatory compliance. Option C is wrong because adversarial attacks involve manipulating input data to fool the model (e.g., adding noise to evade detection), which is a security risk, not a compliance risk addressed by explainability.

22
Multi-Selectmedium

A risk manager is assessing the risks of an IT/OT convergence project in a chemical plant. Which TWO of the following are the most significant security risks? (Select two.)

Select 2 answers
A.Increased attack surface from IT network to OT systems
B.Increased need for IT support staff
C.Higher bandwidth consumption on OT networks
D.Loss of real-time visibility for operators
E.Inability to apply patches to legacy ICS devices
AnswersA, E

This is a primary risk, as attackers can pivot from IT to OT.

Why this answer

A is correct because IT/OT convergence directly connects corporate IT networks to operational technology (OT) systems, expanding the attack surface. Attackers can pivot from IT to OT via protocols like Modbus/TCP or OPC UA, potentially disrupting critical industrial processes. This is the most significant risk as it introduces new vectors for ransomware or sabotage that were previously isolated by air gaps.

Exam trap

Cisco often tests the distinction between operational/reliability issues and actual security risks, so candidates mistakenly select 'loss of real-time visibility' or 'higher bandwidth' as security risks when they are not.

23
MCQmedium

A company is planning to migrate to post-quantum cryptography. What is the primary risk that quantum computing poses to current cryptographic systems?

A.Enhancing encryption key generation
B.Breaking widely used public-key cryptographic algorithms
C.Compromising hash functions for integrity
D.Increased speed of brute-force attacks on symmetric keys
AnswerB

Quantum computers can break RSA and ECC, which are fundamental to secure communications.

Why this answer

Quantum computers using Shor's algorithm can efficiently solve integer factorization and discrete logarithm problems, threatening RSA and ECC.

24
MCQmedium

A manufacturing company is connecting its industrial control systems (ICS) to the corporate network for real-time data analytics. What is the most significant risk arising from this IT/OT convergence?

A.Reduced network bandwidth for OT operations
B.Expanded attack surface from IT to OT systems
C.Increased data storage costs
D.Loss of proprietary control protocols
AnswerB

The convergence creates new paths for attackers to reach OT systems.

Why this answer

Connecting OT to IT networks exposes ICS to threats from the corporate network, expanding the attack surface and potentially allowing attackers to pivot to OT systems.

25
MCQmedium

An organization is evaluating cyber insurance to mitigate financial risk from potential data breaches. Which factor would most likely increase the insurance premium?

A.Implementation of multi-factor authentication
B.Adoption of a cybersecurity framework
C.Regular penetration testing
D.History of previous security incidents
AnswerD

Past incidents increase perceived risk and premiums.

Why this answer

A history of past security incidents indicates higher risk, leading insurers to charge higher premiums.

26
MCQhard

A risk manager is assessing the impact of quantum computing on the organization's cryptographic infrastructure. The timeline for quantum advantage is estimated to be 10 years. What is the most appropriate immediate action to address this risk?

A.Increase key lengths for all symmetric encryption to 256 bits
B.Ignore the risk until quantum computers are commercially available
C.Begin post-quantum cryptography migration planning and crypto-agility assessment
D.Replace all existing cryptographic algorithms with post-quantum algorithms immediately
AnswerC

Correct. Starting planning and assessing crypto-agility is prudent and timely.

Why this answer

Post-quantum cryptography migration planning is a strategic activity that should begin now to ensure readiness before quantum computers can break current cryptography.

27
MCQeasy

Which enterprise architecture layer is most directly responsible for managing the storage and processing of data, and for which data classification and encryption controls are critical?

A.Application architecture
B.Data architecture
C.Technology architecture
D.Business architecture
AnswerB

Correct. Data architecture manages data assets and requires data protection controls.

Why this answer

Data architecture is the enterprise architecture layer that defines how data is stored, managed, and processed, including data models, data flows, and storage structures. Data classification and encryption controls are critical at this layer because they directly protect the confidentiality and integrity of data at rest and in transit, ensuring compliance with policies and regulations.

Exam trap

The trap here is that candidates often confuse data architecture with technology architecture, mistakenly thinking that hardware or infrastructure layers are responsible for data classification and encryption, when in fact these controls are defined and managed at the data layer itself.

How to eliminate wrong answers

Option A is wrong because application architecture focuses on the design and interaction of software applications, not on the underlying storage and processing of data, and while applications may implement encryption, the primary responsibility for data classification and encryption controls lies with the data architecture. Option C is wrong because technology architecture deals with the hardware and software infrastructure (e.g., servers, networks, databases) that supports data processing, but it does not define how data is classified or encrypted; those controls are applied to the data itself, which is the domain of data architecture. Option D is wrong because business architecture describes business strategy, processes, and goals, and it does not directly manage data storage, processing, or technical controls like encryption.

28
Multi-Selecteasy

Which TWO of the following are key benefits of integrating the NIST Cybersecurity Framework with an organization's risk management processes? (Select TWO.)

Select 2 answers
A.Ensures all cyber attacks are prevented
B.Helps align cybersecurity activities with business objectives
C.Provides a prescriptive set of controls for all organizations
D.Provides a common language for communicating cybersecurity risk
E.Replaces the need for a separate risk appetite statement
AnswersB, D

The framework supports risk-based decisions aligned with business.

Why this answer

The NIST CSF provides a common language (A) and helps align cybersecurity activities with business objectives (B). It does not guarantee prevention of all attacks (C), nor does it replace risk appetite (D), and it is not a prescriptive standard but a framework (E).

29
MCQhard

An organization uses the FAIR (Factor Analysis of Information Risk) model to quantify cyber risk. Which of the following is the correct definition of 'Loss Magnitude' in the FAIR model?

A.The probable financial impact of a cyber incident
B.The cost of implementing security controls
C.The number of records compromised in a data breach
D.The probability that a threat event will occur
AnswerA

Correct. Loss Magnitude is the financial impact.

Why this answer

In FAIR, Loss Magnitude is the probable financial impact of a cyber incident, typically expressed as a monetary value. It is calculated based on primary and secondary losses.

30
MCQhard

A power utility is integrating its industrial control system (ICS) with the corporate IT network to enable real-time operational data access. The risk manager identifies that the ICS uses legacy proprietary protocols without authentication. Which risk treatment option best addresses this issue while maintaining operational availability?

A.Implement a unidirectional gateway that enforces one-way data flow
B.Deploy a host-based intrusion detection system on each ICS device
C.Upgrade the ICS to modern protocols with built-in authentication
D.Disconnect the ICS from the corporate network and use manual data transfer
AnswerA

A unidirectional gateway prevents external threats from entering the ICS while allowing data export, preserving availability.

Why this answer

A unidirectional gateway (data diode) enforces one-way data flow from the ICS to the corporate IT network, preventing any inbound traffic that could exploit the legacy protocols' lack of authentication. This maintains operational availability because the ICS remains isolated from direct network attacks while still providing real-time data access. It is the only option that addresses the authentication gap without disrupting legacy system operations.

Exam trap

The trap here is that candidates often choose upgrading protocols (Option C) as the 'best practice' without considering the operational availability constraints of legacy ICS environments, where a unidirectional gateway provides a non-disruptive security layer.

How to eliminate wrong answers

Option B is wrong because a host-based intrusion detection system (HIDS) on each ICS device can detect attacks but cannot prevent exploitation of unauthenticated legacy protocols; it also adds overhead that may impact real-time control availability. Option C is wrong because upgrading to modern protocols with built-in authentication would require replacing or reconfiguring legacy ICS devices, risking operational downtime and incompatibility with existing field equipment. Option D is wrong because disconnecting the ICS and using manual data transfer eliminates the real-time data access requirement entirely, failing to meet the integration objective and introducing latency and human error.

31
Multi-Selecthard

An organization is deploying IoT devices in a smart building. Which of the following are significant security risks associated with IoT? (Choose THREE.)

Select 3 answers
A.Firmware update challenges due to device diversity
B.Legacy device security gaps from unpatched vulnerabilities
C.Increased power consumption
D.Higher data transmission speeds
E.Expanded attack surface due to many connected devices
AnswersA, B, E

Managing updates across heterogeneous devices is difficult.

Why this answer

IoT risks include expanded attack surface, legacy device security gaps, and firmware update challenges.

32
MCQhard

A power utility company is required to comply with NERC CIP standards. The risk manager is assessing the impact of connecting a remote substation's OT network to the corporate WAN. Which of the following is the MOST significant risk that must be addressed to comply with NERC CIP?

A.Violation of electronic security perimeter (ESP) requirements
B.Latency issues affecting real-time control
C.Increased bandwidth costs for WAN connectivity
D.Incompatibility with legacy serial protocols
AnswerA

NERC CIP mandates ESPs to protect critical cyber assets; any connection must be controlled and monitored.

Why this answer

NERC CIP requires clear electronic security perimeters (ESPs) between OT and other networks. Connecting OT to the corporate network can compromise the ESP, allowing unauthorized access to critical assets. This is a key compliance requirement.

33
MCQhard

A power utility must comply with NERC CIP standards. Which of the following is a key requirement under these standards?

A.Implementing IEC 62443 for all control systems
B.Identifying and securing Critical Cyber Assets (CCAs)
C.Deploying AI for threat detection
D.Using only air-gapped networks
AnswerB

NERC CIP focuses on CCAs and their protection.

Why this answer

NERC CIP requires identification and protection of Critical Cyber Assets, including security controls for assets essential to bulk electric system reliability.

34
Multi-Selecthard

An organization is deploying IoT devices for environmental monitoring in a manufacturing facility. Which THREE of the following are significant security risks that should be addressed? (Select THREE.)

Select 3 answers
A.Expanded attack surface due to numerous connected devices
B.Vendor lock-in due to proprietary protocols
C.Lack of firmware update capabilities for security patches
D.Data sovereignty issues for sensor data
E.Use of legacy components with known vulnerabilities
AnswersA, C, E

More devices mean more entry points.

Why this answer

IoT devices often have limited security features, leading to expanded attack surface (A), lack of firmware update mechanisms (B), and use of legacy components with known vulnerabilities (C). Data sovereignty (D) is less relevant for environmental data; vendor lock-in (E) is a business risk but not a security risk.

35
MCQeasy

In the NIST Cybersecurity Framework, which function is primarily focused on developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services?

A.Detect
B.Protect
C.Recover
D.Identify
AnswerB

Protect includes access control, awareness training, and data security safeguards.

Why this answer

The Protect function of the NIST CSF focuses on safeguards to limit or contain the impact of cybersecurity events.

36
MCQeasy

According to COBIT 2019, which governance objective is primarily concerned with evaluating, directing, and monitoring the management of IT risk?

A.EDM03 — Ensure Risk Optimization
B.EDM02 — Ensure Benefits Delivery
C.EDM04 — Ensure Resource Optimization
D.EDM01 — Ensure Governance Framework Setting and Maintenance
AnswerA

This is the correct governance objective for IT risk management oversight.

Why this answer

EDM03 — Ensure Risk Optimization is the governance objective that focuses on evaluating, directing, and monitoring risk management to ensure the enterprise's risk appetite and risk tolerance are understood and articulated.

37
MCQmedium

A power utility is required to comply with NERC CIP standards. Which of the following is a primary objective of these standards?

A.Protect the bulk power system from cybersecurity threats
B.Reduce energy consumption through efficient IT operations
C.Ensure interoperability between different vendors' SCADA systems
D.Standardize industrial control protocols
AnswerA

Correct. NERC CIP focuses on cybersecurity to maintain grid reliability.

Why this answer

NERC CIP standards are designed to protect the reliability of the bulk power system against cybersecurity threats that could cause widespread outages.

38
MCQhard

A multinational corporation is migrating its customer relationship management (CRM) system to a public cloud provider. The data includes personally identifiable information (PII) from multiple jurisdictions. Which risk should be considered most critical during the cloud architecture review?

A.Multi-tenancy isolation failures
B.Data sovereignty and cross-border data transfer restrictions
C.Shared responsibility model gaps for patching
D.Vendor lock-in due to proprietary APIs
AnswerB

Correct. Data sovereignty is a critical legal risk that must be addressed before migration.

Why this answer

The CRM migration involves PII from multiple jurisdictions, making data sovereignty and cross-border data transfer restrictions the most critical risk. Regulations like GDPR (EU) and local data localization laws (e.g., Russia, China) can impose fines or block transfers if data leaves approved regions. This risk directly impacts legal compliance and operational continuity, outweighing technical concerns like isolation or patching.

Exam trap

The trap here is that candidates confuse technical risks like multi-tenancy or patching with the overriding legal and regulatory risk of data sovereignty, which is the most critical for multinational PII migrations.

How to eliminate wrong answers

Option A is wrong because multi-tenancy isolation failures are a general cloud risk but less critical here; the CRM data is PII, but the primary legal risk is jurisdictional, not technical co-mingling. Option C is wrong because shared responsibility model gaps for patching are operational risks that can be mitigated via SLAs and automated patching, not the most critical for cross-jurisdiction PII. Option D is wrong because vendor lock-in due to proprietary APIs is a long-term strategic risk, not an immediate compliance or legal threat during migration of regulated data.

39
MCQhard

A power utility subject to NERC CIP standards is planning to deploy a new SCADA system. Which of the following requirements is MOST likely mandated by NERC CIP?

A.Establishment of an electronic security perimeter around critical cyber assets
B.Adoption of a cloud-based backup solution
C.Use of quantum-resistant encryption for all communications
D.Implementation of IEC 62443 security levels
AnswerA

NERC CIP requires defining and securing electronic security perimeters.

Why this answer

NERC CIP standards require identification and protection of critical cyber assets, including clear boundaries (electronic security perimeters) to control access.

40
MCQeasy

A risk manager is designing an IT risk management program. According to COBIT 2019, which governance objective is specifically focused on ensuring that risk management is optimized?

A.EDM03 — Ensure Risk Optimization
B.EDM04 — Ensure Resource Optimization
C.EDM02 — Ensure Benefits Delivery
D.EDM01 — Ensure Governance Framework Setting and Maintenance
AnswerA

EDM03 directly addresses risk optimization through evaluation, direction, and monitoring.

Why this answer

COBIT 2019's EDM03 (Ensure Risk Optimization) is the governance objective that directs the evaluation, direction, and monitoring of risk management to align with enterprise risk appetite.

41
Multi-Selectmedium

An organization is reviewing its IT risk management program and identifies that the risk register is not being updated after project changes. Which TWO components of the risk management program are most likely deficient?

Select 2 answers
A.Risk register
B.Risk management policy
C.Risk reporting
D.Risk assessment methodology
E.Risk treatment process
AnswersB, C

The policy should mandate regular updates; its absence leads to outdated registers.

Why this answer

The risk management policy (B) is deficient because it should mandate periodic updates to the risk register after project changes, ensuring alignment with the organization's risk appetite and tolerance. Without a policy that explicitly requires post-change risk reassessment, the process lacks governance and accountability. Risk reporting (C) is also deficient because it fails to communicate the updated risk status to stakeholders, which is critical for informed decision-making and maintaining an accurate risk posture.

Exam trap

The trap here is that candidates see the risk register is not being updated and immediately select it as deficient, but the question asks for the components of the program that are most likely deficient—the register is the output, not the process component; the deficiency is in the policy that mandates updates and the reporting that communicates changes.

42
MCQmedium

An organization is deploying a large number of Internet of Things (IoT) sensors for environmental monitoring in a remote facility. The sensors have limited processing power and cannot be patched easily. Which risk should the risk manager prioritize?

A.Vendor lock-in to proprietary protocols
B.Expanded attack surface with unpatched devices
C.Insufficient bandwidth for data transmission
D.Data integrity issues from sensor malfunction
AnswerB

Correct. Many unpatched IoT devices create a large attack surface.

Why this answer

IoT devices often lack security updates, making them vulnerable to exploitation. The expanded attack surface from many devices compounds this risk.

43
MCQhard

A financial institution is adopting a cloud-based analytics platform. The data includes sensitive customer information subject to multiple jurisdictions' data residency laws. Which of the following poses the greatest compliance risk?

A.Multi-tenancy isolation vulnerabilities
B.Vendor lock-in due to proprietary APIs
C.Shared responsibility model gaps
D.Data sovereignty and cross-border data transfer restrictions
AnswerD

Data residency laws can conflict, leading to non-compliance if data is stored in an unauthorized location.

Why this answer

Data sovereignty issues arise when data is stored in jurisdictions with conflicting or unknown legal frameworks, posing significant compliance risk.

44
MCQmedium

A bank is considering adopting artificial intelligence for credit scoring. The risk manager identifies that the AI model might produce biased outcomes against certain demographic groups. Which AI/ML risk is most directly associated with this concern?

A.Model bias
B.Adversarial attacks
C.Explainability requirements
D.Data privacy in AI training
AnswerA

Correct. Model bias leads to unfair outcomes based on demographics.

Why this answer

Model bias occurs when training data or algorithms produce unfair or discriminatory outcomes, directly impacting fairness and regulatory compliance.

45
MCQmedium

A risk practitioner is designing an IT risk management programme. Which of the following is the BEST sequence of components to establish?

A.Risk register, risk assessment methodology, risk treatment process, risk reporting, risk management policy
B.Risk assessment methodology, risk register, risk treatment process, risk management policy, risk reporting
C.Risk reporting, risk management policy, risk assessment methodology, risk register, risk treatment process
D.Risk management policy, risk assessment methodology, risk register, risk treatment process, risk reporting
AnswerD

This is the logical sequence: policy first, then methodology, then register, then treatment, then reporting.

Why this answer

A logical order is to first define policy, then methodology, then risk register, then treatment process, and finally reporting. However, the question asks for the best sequence among options. Typically, policy comes first, then methodology, then risk register, then treatment, then reporting.

46
MCQmedium

A risk practitioner is using the FAIR model to quantify cyber risk for a proposed new online payment system. Which factor must be estimated to calculate the probable financial impact of a data breach?

A.Threat event frequency
B.Loss magnitude
C.Vulnerability severity score
D.Annualized rate of occurrence
AnswerB

Correct. Loss magnitude estimates the financial impact per event.

Why this answer

In FAIR, the probable financial impact is derived from the loss event frequency and the loss magnitude. Loss magnitude estimates the financial loss per incident.

47
MCQmedium

During a solution architecture review, the Architecture Review Board (ARB) identifies that a new application communicates with a legacy system using plain text over a public network. Which risk treatment option is MOST appropriate?

A.Require encryption (e.g., TLS) for the communication
B.Transfer the risk to a third-party vendor
C.Accept the risk because the legacy system cannot be changed
D.Decommission the legacy system immediately
AnswerA

Encryption mitigates the risk of data exposure effectively.

Why this answer

The risk of data exposure can be mitigated by implementing encryption, such as TLS, to protect data in transit.

48
MCQmedium

An organization is implementing the NIST Cybersecurity Framework to manage cyber risk. The risk manager is mapping the 'Detect' function to existing risk management processes. Which of the following activities is MOST directly aligned with the 'Detect' function?

A.Implementing continuous security monitoring of network traffic
B.Developing an incident response plan
C.Conducting a business impact analysis
D.Establishing a patch management process
AnswerA

Continuous monitoring enables detection of potential incidents.

Why this answer

The 'Detect' function focuses on identifying cybersecurity events in a timely manner. Continuous security monitoring is a key activity to detect anomalies and incidents.

49
Multi-Selecteasy

Which TWO of the following are key functions of an Architecture Review Board (ARB) in managing risk?

Select 2 answers
A.Managing user access controls
B.Performing daily vulnerability scans
C.Reviewing solution architectures for security risks before implementation
D.Responding to security incidents
E.Ensuring architecture alignment with risk appetite
AnswersC, E

This is a primary ARB responsibility.

Why this answer

Option C is correct because a primary function of an Architecture Review Board (ARB) is to evaluate solution architectures for security risks prior to implementation. This proactive review ensures that security controls are embedded in the design phase, reducing the likelihood of vulnerabilities being introduced into production systems.

Exam trap

The trap here is confusing operational security tasks (like access control, scanning, or incident response) with the strategic, governance-focused role of the ARB, which is to ensure architectural decisions align with risk appetite and security requirements before deployment.

50
MCQeasy

A risk manager is designing an IT risk management program. Which document should serve as the primary source for defining the organization's approach to risk assessment, treatment, and reporting?

A.IT strategy
B.Risk management policy
C.Business continuity plan
D.Risk register
AnswerB

Correct. The risk management policy defines the approach to risk management.

Why this answer

The risk management policy is the authoritative document that establishes the organization's overall approach to risk management, including the principles, roles, responsibilities, and processes for risk assessment, treatment, and reporting. It sets the governance framework and mandates how risk activities must be conducted across the IT environment, ensuring consistency and alignment with business objectives.

Exam trap

The trap here is that candidates often confuse the risk register (a tactical tool) with the risk management policy (a strategic governance document), mistakenly thinking the register defines the process rather than just recording the outputs.

How to eliminate wrong answers

Option A is wrong because the IT strategy defines the long-term technology direction and investment priorities, not the specific procedures for risk assessment, treatment, and reporting. Option C is wrong because the business continuity plan focuses on maintaining or restoring operations after a disruption, not on the ongoing risk management process of identifying, analyzing, and treating risks. Option D is wrong because the risk register is a living document that records identified risks, their assessments, and treatment plans, but it does not define the overarching methodology or governance for risk management.

51
MCQmedium

An organization is deploying IoT sensors in a manufacturing plant. Which of the following is the MOST significant security risk associated with these devices?

A.Interference with radio frequency signals
B.Limited data storage capacity
C.High power consumption leading to operational costs
D.Inability to apply security patches due to legacy firmware
AnswerD

Unpatched vulnerabilities in IoT devices are a major security concern.

Why this answer

IoT devices often have limited security features and may lack the ability to receive firmware updates, making them vulnerable and expanding the attack surface.

52
MCQhard

A manufacturing company is integrating its industrial control systems (ICS) with the corporate IT network to enable real-time data analytics. Which of the following represents the MOST significant risk introduced by this convergence?

A.Increased complexity in managing network bandwidth
B.Potential for increased data redundancy
C.Expansion of the attack surface from IT to OT environments
D.Higher licensing costs for security software
AnswerC

This creates new pathways for cyber attacks that can have physical consequences.

Why this answer

Connecting ICS to the corporate network expands the attack surface, allowing threats from the IT network to reach OT systems, potentially leading to safety incidents.

53
Multi-Selectmedium

An organization is implementing an AI/ML model for credit approval decisions subject to regulatory oversight. Which TWO of the following are the most significant risk considerations?

Select 2 answers
A.Model bias causing discriminatory outcomes
B.Model explainability for regulatory compliance
C.Data privacy in AI training
D.High computational cost of model retraining
E.Adversarial attacks on the training data
AnswersA, B

Bias can lead to legal and reputational damage.

Why this answer

Regulated decisions require explainability, and model bias can lead to unfair or illegal outcomes. Both are critical risks.

54
MCQmedium

A company's risk management policy requires a risk register to be maintained. Which of the following is the primary purpose of a risk register?

A.To assign financial values to all risks
B.To document and track identified risks, assessments, and risk responses
C.To record audit findings
D.To provide a list of all IT assets
AnswerB

This is the core function of a risk register.

Why this answer

The primary purpose of a risk register is to serve as a central repository for documenting and tracking all identified risks, their assessments (including likelihood and impact), and the corresponding risk response strategies. This ensures that risk management activities are transparent, auditable, and actionable throughout the risk lifecycle, aligning with the ISACA CRISC framework.

Exam trap

The trap here is that candidates confuse the risk register with other operational logs (e.g., audit findings or asset inventories) or assume its primary purpose is financial quantification, whereas the CRISC exam emphasizes its role as a comprehensive tracking and documentation tool for the entire risk management process.

How to eliminate wrong answers

Option A is wrong because assigning financial values to risks is a specific activity within risk analysis (e.g., quantitative risk assessment using ALE/SLE), not the primary purpose of the risk register itself; the register may include such values but is not limited to them. Option C is wrong because audit findings are recorded in audit reports or issue logs, not the risk register; the risk register focuses on forward-looking risk identification and treatment, not retrospective audit results. Option D is wrong because a list of all IT assets is typically maintained in an asset inventory or configuration management database (CMDB), not the risk register; the risk register only includes assets relevant to identified risks.

55
MCQmedium

Which standard is specifically designed for industrial automation and control systems security and provides a framework for addressing security in IACS?

A.ISO 27001
B.NERC CIP
C.IEC 62443
D.NIST SP 800-53
AnswerC

Correct. IEC 62443 is the standard for IACS security.

Why this answer

IEC 62443 is the international standard for industrial automation and control systems security, covering security for IACS across multiple levels.

56
MCQhard

An organization is reviewing its enterprise architecture to identify risks. In which IT architecture layer would a risk related to data classification and data sovereignty be primarily addressed?

A.Application architecture layer
B.Business architecture layer
C.Data architecture layer
D.Infrastructure/Technology architecture layer
AnswerC

Correct. Data architecture addresses data classification, storage, and sovereignty.

Why this answer

Data classification and sovereignty concerns are primarily data-related, falling under the data architecture layer. The data layer defines how data is stored, classified, and managed, including sovereignty requirements.

57
MCQeasy

Which of the following is a key component of the NIST Cybersecurity Framework's 'Identify' function?

A.Recovery planning
B.Response planning
C.Anomalies and events detection
D.Risk assessment
AnswerD

Risk assessment is a core component of Identify.

Why this answer

The Identify function includes asset management, risk assessment, and governance to understand the organization's risk posture.

58
MCQmedium

An organization is implementing a new cloud-based CRM system. The risk manager is reviewing the solution architecture for security risks. Which architectural layer should be evaluated to ensure data encryption at rest and in transit?

A.Application architecture
B.Data architecture
C.Infrastructure architecture
D.Business architecture
AnswerB

Data architecture defines how data is stored, managed, and protected, including encryption controls.

Why this answer

Data architecture defines how data is stored, processed, and transmitted, including encryption policies. To ensure data encryption at rest (e.g., AES-256 for stored CRM records) and in transit (e.g., TLS 1.2/1.3 for API calls), the risk manager must evaluate the data architecture layer, which specifies encryption standards, key management, and data flow controls.

Exam trap

The trap here is that candidates often confuse 'infrastructure architecture' with data security controls, but encryption policies and data flow protections are explicitly part of the data architecture layer, not the underlying hardware or network layer.

How to eliminate wrong answers

Option A is wrong because application architecture focuses on software components, APIs, and business logic, not on encryption mechanisms for data at rest or in transit. Option C is wrong because infrastructure architecture covers hardware, networks, and virtualization layers, but encryption policies and data flow security are defined at the data architecture level. Option D is wrong because business architecture addresses organizational goals, processes, and governance, not technical encryption controls.

59
Multi-Selectmedium

A risk manager is integrating risk management with IT governance. Which of the following are key elements of an IT risk management programme design? (Choose TWO.)

Select 2 answers
A.Risk assessment methodology
B.Incident response plan
C.Business continuity plan
D.Vendor management policy
E.Risk register
AnswersA, E

A methodology ensures consistent risk assessment.

Why this answer

A risk register and a risk assessment methodology are core components of an IT risk management programme design.

60
MCQmedium

An architecture review board (ARB) is evaluating a new solution architecture that processes sensitive data. Which of the following should the ARB review to ensure security risks are addressed before implementation?

A.User acceptance test plan
B.Business case and ROI analysis
C.Threat model and security controls
D.Project timeline and budget
AnswerC

Threat modeling helps identify and mitigate security risks in the architecture.

Why this answer

The ARB must ensure that security risks are identified and mitigated before implementation. A threat model systematically identifies potential threats (e.g., STRIDE) and maps them to security controls, ensuring that sensitive data is protected against attacks like injection, disclosure, or tampering. Without this review, the architecture could be deployed with unaddressed vulnerabilities.

Exam trap

The trap here is that candidates confuse project governance artifacts (UAT plan, business case, timeline) with security-specific risk assessment deliverables, leading them to select a generic project management option instead of the threat model that directly addresses security risks.

How to eliminate wrong answers

Option A is wrong because a user acceptance test plan validates functional requirements and usability, not security risks or threat mitigation. Option B is wrong because the business case and ROI analysis focus on financial justification and cost-benefit, not on identifying or addressing security threats. Option D is wrong because the project timeline and budget are project management artifacts that track schedule and cost, not security risk assessment or control validation.

61
MCQmedium

A financial institution is considering adopting a new AI/ML model for credit scoring. The model uses customer demographic data and transaction history. Which of the following risks is MOST likely to cause regulatory penalties if not addressed?

A.Data privacy of training data
B.Model drift due to changing economic conditions
C.Model bias leading to unfair lending practices
D.Adversarial attacks on the model
AnswerC

Model bias can violate fair lending laws and result in regulatory fines and reputational damage.

Why this answer

Regulators require explainability for credit decisions to ensure fairness and compliance with regulations like ECOA and GDPR. Model bias can lead to discriminatory outcomes, resulting in significant penalties.

62
MCQhard

An organization is evaluating cyber insurance to cover potential losses from ransomware attacks. The insurer requires that the organization have multi-factor authentication (MFA) on all remote access systems. This requirement is an example of which factor influencing insurance premiums?

A.Coverage scope
B.Incident prerequisites
C.Exclusions
D.Premium factors
AnswerD

Correct. Security controls like MFA are key factors in premium calculation.

Why this answer

Insurers assess the organization's security controls to determine risk level; MFA is a control that reduces risk, thus affecting premiums positively.

63
Multi-Selectmedium

A risk manager is evaluating IoT device risks for a smart building project. Which TWO of the following are significant IoT security risks?

Select 2 answers
A.Data sovereignty compliance
B.Quantum computing threat to cryptography
C.Vendor lock-in
D.Firmware update challenges
E.Expanded attack surface due to many connected devices
AnswersD, E

IoT devices often lack automatic update mechanisms.

Why this answer

IoT devices often have limited security capabilities, leading to expanded attack surface and difficulty in applying firmware updates. These are common IoT risks.

64
Multi-Selectmedium

An organization is planning to adopt post-quantum cryptography. Which TWO considerations are MOST important for migration planning?

Select 2 answers
A.Evaluate the cost of quantum computers
B.Assess the cryptographic agility of current systems
C.Identify systems that need long-term confidentiality (e.g., classified data)
D.Train employees on quantum physics
E.Purchase quantum-resistant hardware immediately
AnswersB, C

Systems must be able to support new algorithms.

Why this answer

Migration must prioritize systems with long-term data sensitivity and assess cryptographic agility to adapt to new standards.

65
MCQhard

A risk manager is calculating the probable financial impact of a ransomware attack using the FAIR model. Which factor is MOST critical to estimate the annual loss exposure?

A.Recovery time objective (RTO)
B.Threat event frequency
C.Cost of cyber insurance premium
D.Number of affected systems
AnswerB

Threat event frequency is a key component in FAIR for calculating annual loss exposure.

Why this answer

In the FAIR model, annual loss exposure (ALE) is calculated as threat event frequency multiplied by probable loss magnitude. Threat event frequency is the most critical factor because it directly drives how often losses occur, and without an accurate estimate of how frequently ransomware attacks are expected, any loss magnitude estimate becomes meaningless for annualizing exposure.

Exam trap

The trap here is that candidates often confuse loss magnitude factors (like number of affected systems or RTO) with the frequency component, mistakenly thinking that the size of a single incident is more important than how often incidents occur, when in fact both are needed but frequency is the most critical for annualizing exposure.

How to eliminate wrong answers

Option A is wrong because recovery time objective (RTO) is a metric for business continuity planning, not a direct input to the FAIR model's annual loss exposure calculation; it influences loss magnitude but is not the most critical factor. Option C is wrong because the cost of a cyber insurance premium is a financial transfer mechanism, not a risk quantification input; it reflects the insurer's assessment of risk, not the raw threat event frequency needed for FAIR. Option D is wrong because the number of affected systems is a component of loss magnitude (e.g., asset value at risk), but without knowing how often attacks occur (threat event frequency), you cannot compute annual loss exposure.

66
MCQmedium

An organization is connecting its industrial control systems (ICS) to the corporate network for real-time data analytics. Which of the following is the PRIMARY risk introduced by this IT/OT convergence?

A.Reduced availability of OT systems
B.Higher cost of network equipment
C.Expansion of the attack surface to OT systems
D.Increased complexity of data analytics
AnswerC

Correct. The attack surface expands, exposing OT to network-based threats.

Why this answer

The primary risk is the expansion of the attack surface, as previously isolated OT systems become accessible from the corporate network, increasing the likelihood of cyber attacks propagating to critical industrial systems.

67
MCQmedium

An Architecture Review Board (ARB) is evaluating a new solution architecture for a customer-facing web application. Which of the following is the PRIMARY risk the ARB should consider?

A.The application does not support mobile devices
B.The application development timeline is aggressive
C.The application uses the latest JavaScript framework
D.The application exposes sensitive customer data through APIs without proper authentication
AnswerD

This is a significant security risk that could lead to data breach.

Why this answer

The ARB's role includes ensuring security risks are identified before implementation. Among the options, exposure of sensitive customer data is the most critical security risk that could impact the organization's reputation and compliance.

68
MCQmedium

An organization is considering cyber insurance to transfer residual risk. Which factor would MOST significantly influence the premium?

A.Industry sector
B.Company revenue
C.Security controls and incident history
D.Number of employees
AnswerC

Insurers heavily weigh security maturity and past claims.

Why this answer

Insurers assess the organization's security controls and past incidents to determine risk level, which directly affects premium.

69
MCQeasy

Which of the following is a key component of the NIST Cybersecurity Framework's Identify function?

A.Response planning
B.Recovery plan implementation
C.Risk assessment
D.Anomalies and events detection
AnswerC

Risk assessment is part of the Identify function.

Why this answer

The Identify function includes asset management, business environment, governance, risk assessment, and risk management strategy. Risk assessment is a key component.

70
MCQeasy

Which of the following is a key component of an IT risk management programme that documents identified risks, their likelihood, and impact?

A.Risk management policy
B.Risk register
C.Business continuity plan
D.Incident response plan
AnswerB

The risk register is the correct document for recording risks.

Why this answer

The risk register is the central repository within an IT risk management programme that formally documents identified risks, their assessed likelihood, and potential impact. It serves as the authoritative record for tracking risk ownership, mitigation status, and residual risk levels, enabling ongoing monitoring and reporting. Without a risk register, an organization cannot systematically manage or communicate its risk posture.

Exam trap

The trap here is that candidates confuse the risk register with the risk management policy, mistakenly thinking the policy document contains the detailed risk inventory, when in fact the policy only sets the governance framework while the register holds the operational risk data.

How to eliminate wrong answers

Option A is wrong because a risk management policy defines the high-level principles, objectives, and responsibilities for risk management, but it does not contain the specific inventory of identified risks, their likelihood, or impact. Option C is wrong because a business continuity plan (BCP) focuses on maintaining or restoring operations after a disruption, not on documenting the full spectrum of identified IT risks and their attributes. Option D is wrong because an incident response plan (IRP) outlines procedures for detecting, responding to, and recovering from security incidents, but it does not serve as the ongoing record of all identified risks, their likelihood, and impact.

71
Multi-Selectmedium

According to the FAIR model, which TWO of the following are primary components used to calculate probable financial impact of a cyber incident?

Select 2 answers
A.Loss Magnitude (LM)
B.Threat intelligence feed
C.Control effectiveness score
D.Loss Event Frequency (LEF)
E.Vulnerability severity score
AnswersA, D

LM estimates the financial impact per loss event.

Why this answer

FAIR model decomposes risk into Loss Event Frequency (LEF) and Loss Magnitude (LM). These two components are multiplied to derive risk.

72
MCQmedium

An organization is implementing COBIT 2019 and the board has requested assurance that risk management activities are aligned with business objectives. Which governance objective is primarily focused on ensuring risk optimization through evaluation, direction, and monitoring?

A.EDM01 — Ensure Governance Framework Setting and Maintenance
B.EDM02 — Ensure Benefits Delivery
C.EDM03 — Ensure Risk Optimization
D.EDM04 — Ensure Resource Optimization
AnswerC

Correct. EDM03 directly addresses the evaluation, direction, and monitoring of risk management.

Why this answer

EDM03 (Ensure Risk Optimization) is the COBIT governance objective that specifically addresses the evaluation, direction, and monitoring of risk management to align with enterprise objectives.

73
MCQmedium

An organization is designing an IT risk management program. Which of the following should be the PRIMARY consideration when developing a risk register?

A.Aligning risk categories with the COSO internal control framework
B.Ensuring that the register is integrated with the enterprise risk management system
C.Automating the risk register with real-time risk monitoring tools
D.Capturing risk details, including impact, likelihood, and mitigation status
AnswerD

The risk register must contain key risk attributes for tracking and reporting.

Why this answer

A risk register should capture and track identified risks, their assessed impact and likelihood, and planned mitigation actions to enable effective risk management.

74
MCQmedium

A financial institution is evaluating cyber insurance to cover potential losses from a ransomware attack. Which factor is most likely to increase the insurance premium?

A.Weak access controls and lack of multi-factor authentication
B.Regular third-party security audits
C.Comprehensive security awareness training for all employees
D.Implementation of multi-factor authentication across all systems
AnswerA

Higher risk leads to higher premium.

Why this answer

Weak access controls (e.g., lack of multi-factor authentication) increase the likelihood and potential impact of a ransomware attack, leading insurers to charge higher premiums.

75
MCQmedium

A large retail company is implementing a new cloud-based inventory management system. The system will store sensitive customer data and integrate with existing on-premises ERP. The risk manager is asked to identify the most critical risk to address in the shared responsibility model. Which risk is MOST likely to be overlooked?

A.Vendor lock-in
B.Multi-tenancy isolation
C.Misconfiguration of access controls
D.Data sovereignty compliance
AnswerC

Access control misconfiguration is a leading cause of cloud data breaches and is often underestimated in the shared responsibility model.

Why this answer

In the shared responsibility model, the customer is responsible for data classification and access controls. Misconfiguration of access controls is a common overlooked risk that can lead to data breaches.

Page 1 of 2 · 105 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Crisc It Security questions.