CCNA Crisc Risk Identification Questions

75 of 95 questions · Page 1/2 · Crisc Risk Identification topic · Answers revealed

1
MCQmedium

A risk practitioner is updating the risk register after a third-party security incident. Which of the following is the MOST important information to include in the risk register entry for this third-party risk?

A.The remediation plan and the risk owner's signature
B.The date of the incident and the amount of data compromised
C.A description of the risk event, its impact, and the response taken
D.The name and contact details of the third party
AnswerC

Why this answer

The risk register should include a description of the risk event, its impact, and the response. While other details are relevant, the core of the entry is the event and its consequences.

2
MCQeasy

An organization is categorizing IT risks. Which of the following risk categories would include the risk of regulatory fines due to non-compliance with data protection laws?

A.Operational risk
B.Compliance risk
C.Financial risk
D.Strategic risk
AnswerB

Compliance risk directly addresses regulatory and legal violations.

Why this answer

Compliance risks involve violations of laws, regulations, or contractual obligations. Regulatory fines for data protection non-compliance fall under the compliance category.

3
MCQmedium

During the risk identification process, an IT risk universe is defined. Which of the following BEST describes the purpose of an IT risk universe?

A.A list of all known vulnerabilities in the organization's IT systems
B.A database of past security incidents and their root causes
C.A framework for categorizing risks into strategic, operational, financial, and compliance
D.A comprehensive inventory of all potential IT risks facing the organization
AnswerD

Correct. The IT risk universe includes all potential risks, covering threats, vulnerabilities, and impacts.

Why this answer

The IT risk universe is a comprehensive inventory of all potential IT risks that could affect the organization, serving as the foundation for further risk assessment and treatment.

4
MCQmedium

A risk practitioner is categorizing IT risks for a manufacturing company. Which of the following risks would be classified as an 'operational' IT risk?

A.Risk of financial loss from a ransomware payment
B.Risk of non-compliance with GDPR for customer data stored in the EU
C.Risk of production line downtime due to a server failure
D.Risk of reputational damage from a data breach
AnswerC

Correct. This directly affects operational processes.

Why this answer

Operational IT risks relate to the day-to-day functioning of IT systems and processes. Production line downtime due to a system failure directly impacts operations.

5
Multi-Selectmedium

A financial institution is identifying IT risks associated with a new mobile banking application. Which TWO threat modeling techniques are best suited for this scenario? (Select two.)

Select 2 answers
A.STRIDE
B.PASTA
C.VAST
D.TRIKE
E.OWASP Top 10
AnswersA, B

STRIDE is a classic threat modeling technique that categorizes threats for applications.

Why this answer

STRIDE is ideal for application threat modeling, and PASTA provides a risk-centric approach for critical applications.

6
MCQeasy

Which threat modeling technique is specifically designed to be integrated into Agile and DevSecOps processes, providing a visual and simple approach?

A.VAST
B.TRIKE
C.PASTA
D.STRIDE
AnswerA

Correct. VAST (Visual Agile and Simple Threat) is built for DevSecOps and Agile workflows.

Why this answer

VAST (Visual Agile and Simple Threat) is tailored for Agile and DevSecOps environments, emphasizing simplicity and visual representation.

7
Multi-Selectmedium

When developing realistic risk scenarios, which THREE components are essential according to the ISACA risk scenario template?

Select 3 answers
A.Threat actor
B.Asset/resource
C.Mitigation cost
D.Threat event
E.Detection speed
AnswersA, B, D

The threat actor is the entity that initiates the threat.

Why this answer

The ISACA risk scenario template includes threat actor, threat event, and asset/resource as essential components. Timing, detection, and response are also included but are not always considered essential for the basic scenario.

8
MCQmedium

An organization is assessing risks related to a third-party cloud provider. Which of the following is the BEST source of threat intelligence for identifying threats targeting the cloud infrastructure?

A.Government advisories
B.OSINT
C.Commercial feeds
D.ISACs
AnswerD

ISACs provide relevant, timely threat intelligence shared within the industry.

Why this answer

ISACs (Information Sharing and Analysis Centers) provide sector-specific threat intelligence and can share information about threats targeting cloud infrastructure relevant to the organization's industry.

9
MCQeasy

Which of the following is an example of a 'configuration vulnerability' that should be identified during vulnerability assessment?

A.A buffer overflow in a custom application
B.An SQL injection flaw in a web form
C.Default administrative passwords left unchanged on a network device
D.Missing security patches on a server
AnswerC

Correct. This is a configuration issue.

Why this answer

A configuration vulnerability arises from improper system settings. Leaving default passwords unchanged is a classic configuration weakness.

10
Multi-Selectmedium

A financial services firm is assessing vulnerabilities in its web application. The team wants to identify application-level vulnerabilities that could be exploited. Which TWO vulnerability identification techniques should be prioritized for this purpose?

Select 2 answers
A.IAST (Interactive Application Security Testing)
B.CVE database review
C.CIS Benchmarks comparison
D.SAST (Static Application Security Testing)
E.DAST (Dynamic Application Security Testing)
AnswersD, E

SAST analyzes source code for vulnerabilities early in the development lifecycle, making it effective for application vulnerability identification.

Why this answer

SAST (Static Application Security Testing) analyzes source code for vulnerabilities, and DAST (Dynamic Application Security Testing) tests running applications. IAST combines both but is less common. CVE database and CIS Benchmarks are asset- and configuration-focused, not application-specific.

11
MCQhard

A company's risk appetite statement says it is willing to accept moderate levels of operational risk but has low tolerance for compliance risk. During risk identification, which of the following scenarios should be IMMEDIATELY escalated to senior management?

A.A planned system upgrade may cause two hours of downtime during maintenance window
B.A vendor is late in delivering a software patch for a low-severity bug
C.A new cloud service may inadvertently expose customer PII due to misconfiguration
D.An employee mistakenly deletes a non-critical test database
AnswerC

Correct. This involves compliance risk (data protection) and low tolerance.

Why this answer

Given the low tolerance for compliance risk, any potential compliance violation (like PII exposure) must be escalated immediately, even if operational risk is moderate.

12
MCQmedium

A risk manager is categorizing IT risks. Which risk category would a potential fine for violating GDPR be assigned to?

A.Operational
B.Financial
C.Strategic
D.Compliance
AnswerD

GDPR fines are a compliance risk.

Why this answer

Compliance risk involves violations of laws, regulations, or contractual obligations.

13
Multi-Selecthard

A risk manager is developing a risk scenario for a potential data breach involving a third-party cloud provider. According to the ISACA risk scenario template, which THREE elements must be included? (Select three.)

Select 3 answers
A.Asset/resource
B.Consequence
C.Control effectiveness
D.Risk owner
E.Threat actor
AnswersA, B, E

The asset affected (e.g., customer data) is a key element.

Why this answer

The ISACA template includes actor, threat type, event, asset, timing, detection, and consequence. Actor, event, and consequence are essential.

14
MCQmedium

An organization has a risk register that includes risks related to regulatory compliance, such as GDPR and SOX. The risk practitioner is now categorizing these risks. Which risk category would BEST fit these compliance-related risks?

A.Financial risk
B.Operational risk
C.Compliance risk
D.Strategic risk
AnswerC

Why this answer

Compliance risks refer to risks associated with violations of laws, regulations, or contractual obligations. GDPR and SOX are regulatory requirements, so they fall under compliance risk.

15
MCQeasy

An organization uses threat intelligence feeds from an Information Sharing and Analysis Center (ISAC). What is the PRIMARY benefit of using ISACs?

A.They facilitate sharing of sector-specific threat intelligence
B.They provide free antivirus software to members
C.They offer legally binding threat response protocols
D.They replace the need for internal threat hunting
AnswerA

Correct. ISACs are community-driven organizations that share relevant threat data.

Why this answer

ISACs provide sector-specific threat intelligence and enable trusted information sharing among members, often with real-time alerts on relevant threats.

16
MCQhard

A financial services firm uses SAST and DAST tools in its application security testing. However, they are struggling to prioritize vulnerabilities from the large number of findings. Which additional technique would BEST help identify the most critical vulnerabilities in the context of business risk?

A.OWASP ZAP automated scanner
B.Manual penetration testing
C.CVE database search
D.IAST (Interactive Application Security Testing)
AnswerD

IAST provides accurate, context-aware results with fewer false positives.

Why this answer

IAST combines SAST and DAST with runtime analysis to pinpoint vulnerabilities that are actually exploitable in the running application, reducing false positives and focusing on business-critical issues.

17
MCQmedium

An organization's board has set a risk appetite statement that says: 'We accept moderate levels of operational risk but will not tolerate any compliance violations.' During risk identification, which type of risk should be given the HIGHEST priority?

A.Reputational risks
B.Compliance risks
C.Operational risks
D.Strategic risks
AnswerB

Zero tolerance makes compliance risks the highest priority.

Why this answer

Given the zero-tolerance for compliance violations, compliance risks must be prioritized to ensure they are identified and managed accordingly.

18
MCQhard

During a threat modeling exercise using the STRIDE methodology, a security analyst identifies a threat where an attacker can modify data in transit between a web server and database. Which STRIDE category does this threat belong to?

A.Repudiation
B.Tampering
C.Spoofing
D.Information Disclosure
AnswerB

Tampering is the modification of data.

Why this answer

Tampering involves unauthorized modification of data, which is the 'T' in STRIDE.

19
MCQmedium

Which of the following BEST describes the difference between a threat actor who is a 'hacktivist' and one who is an 'organized crime' actor?

A.Hacktivists are motivated by ideology; organized crime actors are motivated by financial gain
B.Hacktivists target only government entities; organized crime targets only businesses
C.Hacktivists are always insiders; organized crime actors are external
D.Hacktivists use advanced persistent threats (APTs); organized crime uses commodity malware
AnswerA

Correct. This aligns with common definitions.

Why this answer

Hacktivists are typically motivated by political or social causes, while organized crime groups are primarily financially motivated.

20
MCQmedium

During a vulnerability assessment, a risk practitioner identifies that a web application is vulnerable to SQL injection, which is listed in the OWASP Top 10. Which type of vulnerability identification technique MOST likely discovered this issue?

A.SAST (Static Application Security Testing)
B.CIS Benchmarks comparison
C.DAST (Dynamic Application Security Testing)
D.DISA STIG scanning
AnswerC

Why this answer

DAST (Dynamic Application Security Testing) tests the running application for vulnerabilities like SQL injection by simulating attacks. SAST is static code analysis, IAST is interactive testing.

21
MCQhard

When developing IT risk scenarios, connecting them to business impact is critical. Which of the following BEST describes how a risk practitioner should link a technical scenario to business impact?

A.Assign a likelihood rating and an inherent risk score
B.Quantify the impact in terms of financial loss, regulatory penalty, and operational disruption
C.Describe the technical steps of the attack in detail
D.Reference industry benchmarks for similar scenarios
AnswerB

Correct. This directly links the scenario to business-relevant consequences.

Why this answer

The correct approach is to map the technical scenario to specific business outcomes such as financial loss, regulatory penalties, or reputational damage, allowing management to understand the significance.

22
MCQmedium

A company is developing risk scenarios for business impact analysis. Which of the following scenario components directly links the risk event to potential financial loss?

A.Vulnerability
B.Threat actor
C.Consequence
D.Asset
AnswerC

Consequence captures the impact, such as financial loss.

Why this answer

The consequence describes the outcome of the risk event, which includes financial loss. Other components describe the cause or context but not the impact.

23
MCQhard

An organization uses the PASTA threat modeling methodology. In which stage would the team identify threat agents and their capabilities?

A.Define objectives
B.Threat analysis
C.Vulnerability analysis
D.Decompose application
AnswerB

Stage 3 analyzes threats, including threat agents.

Why this answer

PASTA's third stage involves profiling threat agents and their capabilities.

24
MCQeasy

Which of the following is a threat intelligence source that provides information about known exploited vulnerabilities, maintained by a government agency?

A.OSINT
B.NVD
C.CISA KEV
D.ISACs
AnswerC

Why this answer

CISA KEV (Known Exploited Vulnerabilities catalog) is maintained by the U.S. Cybersecurity and Infrastructure Security Agency and provides a list of vulnerabilities that have been exploited in the wild.

25
MCQeasy

Which type of threat actor is characterized by having significant resources, advanced skills, and often state-sponsored objectives?

A.Script kiddies
B.Organized crime
C.Nation-state APTs
D.Hacktivists
AnswerC

Nation-state APTs are highly resourced and state-backed.

Why this answer

Nation-state Advanced Persistent Threats (APTs) are sophisticated, well-funded, and often state-sponsored.

26
MCQmedium

Which of the following is the PRIMARY source for identifying known software vulnerabilities in a systematic manner?

A.OSINT feeds from social media
B.CIS Benchmarks
C.National Vulnerability Database (NVD)
D.OWASP Top 10
AnswerC

Correct. NVD is the authoritative source for CVE data and vulnerability scoring.

Why this answer

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data, including CVE entries and severity scores.

27
MCQhard

A multinational corporation uses commercial threat intelligence feeds and participates in an ISAC. However, they recently missed a critical vulnerability exploited in the wild that was not in their feeds. Which additional source should they incorporate to improve vulnerability identification?

A.CISA KEV catalog
B.NVD database
C.OSINT from social media
D.Vendor advisories only
AnswerA

CISA KEV is a focused, authoritative source for known exploited vulnerabilities.

Why this answer

CISA's Known Exploited Vulnerabilities (KEV) catalog is a government advisory that lists vulnerabilities actively exploited. It provides timely, actionable data that commercial feeds may not include immediately.

28
Multi-Selectmedium

A risk practitioner is identifying vulnerabilities in an organization's IT environment. Which TWO of the following are examples of 'operational vulnerability identification'? (Choose two.)

Select 2 answers
A.SQL injection vulnerability in a web application
B.Lack of segregation of duties in IT administration
C.Default passwords on network devices
D.Inadequate change management processes leading to unauthorized changes
E.Missing security patches on critical servers
AnswersB, D

Correct. This is a control weakness, an operational vulnerability.

Why this answer

Option B is correct because lack of segregation of duties in IT administration is an operational vulnerability. It arises from inadequate processes and controls within the organization's operations, such as allowing a single administrator to both approve and execute changes, which increases the risk of unauthorized or malicious actions. This is a process-level weakness, not a technical flaw in a specific system or code.

Exam trap

The trap here is that candidates often confuse technical vulnerabilities (like SQL injection or missing patches) with operational vulnerabilities, failing to distinguish between weaknesses in technology configurations versus weaknesses in processes and controls.

29
MCQmedium

A financial institution uses threat intelligence from an Information Sharing and Analysis Center (ISAC). This is an example of which type of threat intelligence source?

A.Open-source intelligence (OSINT)
B.Government advisories
C.ISAC
D.Commercial feeds
AnswerC

ISACs are sector-specific threat intelligence sharing organizations.

Why this answer

ISACs are industry-specific, trusted communities for sharing threat intelligence.

30
MCQhard

When performing asset-based vulnerability identification, a security analyst uses the Common Vulnerabilities and Exposures (CVE) database along with the National Vulnerability Database (NVD). Which of the following BEST describes the relationship between CVE and NVD?

A.Both databases are identical and maintained by the same organization.
B.CVE is the authoritative source for vulnerability scoring, while NVD assigns identifiers.
C.NVD lists only vulnerabilities that are actively exploited, while CVE lists all known vulnerabilities.
D.CVE provides unique identifiers for vulnerabilities, and NVD provides additional analysis including CVSS scores.
AnswerD

CVE is the ID system; NVD enriches with CVSS and other details.

Why this answer

CVE provides identifiers; NVD enriches with severity scores, impact metrics, and additional data.

31
MCQmedium

An organization is assessing risks related to a new cloud-based CRM system. The risk team is developing a risk scenario. Which of the following is the BEST example of a complete risk scenario following the ISACA template?

A.A DDoS attack on the CRM disrupts service, leading to operational downtime.
B.A hacker exploits a vulnerability in the CRM to steal customer data, resulting in financial loss.
C.An external attacker (actor) performs a SQL injection (threat type) to exfiltrate customer records from the CRM database (event/asset); occurs during off-hours (timing); detected by IDS after 2 hours (detection); leads to regulatory fines and reputational damage (consequence).
D.A disgruntled employee leaks data from the CRM, causing reputational damage.
AnswerC

This scenario includes all ISACA template elements.

Why this answer

A complete risk scenario includes actor, threat type, event, asset, timing, detection, and consequence.

32
Multi-Selectmedium

A risk manager is developing risk scenarios to present to the board. Which TWO elements are essential for connecting a risk scenario to business impact?

Select 2 answers
A.Threat actor motivation
B.Vulnerability score
C.Detection time
D.Consequence (e.g., financial loss)
E.Business impact statement
AnswersD, E

Consequence directly defines the business impact.

Why this answer

Consequence describes the impact, and business impact is the direct result. These two elements directly link the scenario to business outcomes.

33
Multi-Selecteasy

Which TWO of the following are examples of operational vulnerabilities that a risk practitioner might identify?

Select 2 answers
A.Insufficient security awareness training for employees
B.Phishing emails targeting senior executives
C.Lack of segregation of duties in financial systems
D.SQL injection vulnerability in a web application
E.Unpatched software in the production environment
AnswersA, C

Why this answer

Operational vulnerabilities include process gaps (e.g., lack of segregation of duties) and training gaps (e.g., insufficient awareness training). The other options are technical vulnerabilities or threat types.

34
MCQmedium

An organization is developing an IT risk universe. Which of the following is the PRIMARY purpose of creating a comprehensive IT risk universe?

A.To ensure all potential IT risks are considered and documented
B.To prioritize risks based on their financial impact
C.To assign risk owners to each identified risk
D.To calculate the aggregated risk exposure for the organization
AnswerA

Why this answer

The IT risk universe captures all potential IT-related risks across the enterprise, ensuring that no significant risk area is overlooked during the risk identification process.

35
Multi-Selectmedium

During a risk identification workshop, the team identifies several vulnerabilities. Which TWO of the following are examples of operational vulnerability identification? (Select two.)

Select 2 answers
A.Inadequate access control review process
B.Outdated firewall firmware
C.Missing security patches on servers
D.Weak password policy enforcement
E.SQL injection vulnerability in the web application
AnswersA, D

A process gap is an operational vulnerability.

Why this answer

Operational vulnerabilities include process gaps, training gaps, and control weaknesses. Configuration issues and software flaws are technical vulnerabilities.

36
Multi-Selecthard

An organization is updating its IT risk universe to include emerging threats. The CISO wants to ensure the risk register captures realistic risk scenarios. Which THREE components are essential for constructing a complete risk scenario according to ISACA's risk scenario template?

Select 3 answers
A.Event
B.Actor
C.Threat type
D.Timing
E.Detection
AnswersA, B, C

The event describes the action or occurrence (e.g., data exfiltration) that leads to impact.

Why this answer

A complete risk scenario includes actor (who), threat type (what), event (how), and asset/resource (what is affected). Timing, detection, and response are additional elements but not part of the core template.

37
MCQeasy

A retail company is establishing an IT risk universe. Which of the following should be included as a primary category of IT risk?

A.Market risk
B.Third-party risk
C.Inflation risk
D.Interest rate risk
AnswerB

Third-party risk is a core IT risk category.

Why this answer

The IT risk universe should include all potential IT risks, and third-party risks are a key category due to reliance on vendors.

38
MCQhard

During a VAST threat modeling session for a DevSecOps pipeline, the team focuses on threats that align with agile development. Which of the following is a key advantage of VAST?

A.It requires detailed system architecture upfront
B.It replaces the need for vulnerability scanning
C.It is tailored for use in agile and DevOps environments
D.It focuses on compliance requirements only
AnswerC

VAST supports iterative development.

Why this answer

VAST is designed to integrate with agile and DevOps, providing continuous threat modeling.

39
MCQhard

An organization's risk register contains a scenario: 'A nation-state actor exploits an unpatched vulnerability in a public-facing web application, leading to data exfiltration of customer PII.' According to ISACA's risk scenario template, which element is MISSING from this description?

A.Detection
B.Timing
C.Consequence
D.Vulnerability
AnswerB

Correct. The scenario does not specify when the exploit occurs (e.g., during business hours, after hours, or over a period).

Why this answer

ISACA's risk scenario template includes: actor, threat type, event, asset/resource, timing, detection, and response. The scenario lacks timing (when the event occurs or duration).

40
MCQeasy

Which of the following is the PRIMARY purpose of a risk register?

A.To calculate the organization's risk appetite
B.To report risks to regulatory authorities
C.To track the status of risk treatment plans
D.To document and manage identified risks throughout their lifecycle
AnswerD

This is the primary purpose of a risk register.

Why this answer

The risk register is a central repository for documenting identified risks, their analysis, and planned responses, enabling ongoing monitoring and management.

41
MCQhard

During a risk identification workshop, a risk owner proposes a scenario: 'A disgruntled employee with privileged access exfiltrates customer data to a competitor.' In the context of the ISACA risk scenario template, which element is missing if the scenario only includes the actor, threat type, event, and asset?

A.Timing and detection
B.Business impact
C.Consequence
D.Vulnerability
AnswerA

Timing and detection are required by the ISACA template.

Why this answer

A complete risk scenario includes actor, threat type, event, asset/resource, timing, detection, and response. The scenario lacks timing (when the event might occur) and detection/response elements.

42
Multi-Selecthard

During risk identification, a risk manager is reviewing threat intelligence sources. Which THREE of the following are considered legitimate sources of threat intelligence? (Choose three.)

Select 3 answers
A.Government advisories such as CISA Known Exploited Vulnerabilities (KEV) catalog
B.Unverified social media rumors
C.OSINT (Open-Source Intelligence) feeds
D.Information Sharing and Analysis Centers (ISACs)
E.Vendor sales presentations
AnswersA, C, D

Correct. Government advisories are authoritative sources.

Why this answer

OSINT (open-source intelligence), ISACs (sector-specific sharing), and government advisories (e.g., CISA KEV) are established threat intelligence sources. Social media rumor and vendor sales pitches are not reliable.

43
MCQmedium

A company is updating its risk register. Which of the following is the primary purpose of a risk register?

A.To define risk appetite
B.To record and track identified risks and their treatment
C.To store threat intelligence feeds
D.To document all IT assets
AnswerB

This is the main purpose of a risk register.

Why this answer

The risk register centralizes identified risks, their analysis, and treatment plans.

44
MCQmedium

When identifying vulnerabilities, which of the following is the BEST source for configuration-related vulnerabilities in operating systems?

A.NVD
B.CVE database
C.OWASP Top 10
D.CIS Benchmarks
AnswerD

Why this answer

CIS Benchmarks provide consensus-based configuration guidelines for secure system configurations. DISA STIGs are also configuration standards but are specific to U.S. DoD.

CIS Benchmarks are widely adopted in industry.

45
MCQeasy

Which threat actor is most likely motivated by political ideology and may target government systems?

A.Organized crime
B.Nation-state APT
C.Hacktivist
D.Script kiddie
AnswerC

Hacktivists are ideologically motivated.

Why this answer

Hacktivists are threat actors whose primary motivation is political ideology, social activism, or protest. They often target government systems to disrupt operations, deface websites, or leak sensitive information in order to advance their political agenda, making option C correct.

Exam trap

The trap here is confusing nation-state APTs with hacktivists because both may target government systems, but the key differentiator is motivation: nation-state APTs act for geopolitical or espionage reasons, while hacktivists are driven by political ideology and often seek public visibility.

How to eliminate wrong answers

Option A is wrong because organized crime is motivated by financial gain, not political ideology, and typically targets financial institutions or data for resale. Option B is wrong because nation-state APTs are state-sponsored actors focused on espionage, geopolitical advantage, or strategic disruption, not primarily political ideology or public protest. Option D is wrong because script kiddies are unskilled attackers using pre-made tools for notoriety or fun, lacking the ideological motivation to specifically target government systems.

46
Multi-Selecteasy

Which TWO of the following are types of insider threats?

Select 2 answers
A.Malicious
B.Nation-state
C.Hacktivist
D.Negligent
E.Script kiddie
AnswersA, D

Intentional harmful actions by insiders.

Why this answer

Insider threats can be malicious (intentional harm) or negligent (unintentional mistakes).

47
MCQeasy

Which of the following threat actors is MOST likely to be motivated by ideology rather than financial gain?

A.Organized crime
B.Nation-state APT
C.Script kiddie
D.Hacktivist
AnswerD

Why this answer

Hacktivists are typically motivated by political or social causes, not financial profit. Nation-state APTs may have strategic motives, organized crime is financially driven, script kiddies seek notoriety.

48
Multi-Selectmedium

A multinational corporation is developing a new e-commerce platform using microservices architecture. The security team is conducting a threat modeling exercise to identify potential application-level threats. Which TWO threat modeling methodologies are most appropriate for this DevSecOps environment?

Select 2 answers
A.VAST
B.STRIDE
C.OWASP Top 10
D.PASTA
E.TRIKE
AnswersB, D

STRIDE is a threat modeling technique commonly used to identify application threats such as spoofing, tampering, and information disclosure.

Why this answer

PASTA is a risk-focused threat modeling methodology that aligns with business objectives, and STRIDE is a classic approach for identifying application threats. VAST is tailored for Agile/DevSecOps but is less common; TRIKE is requirements-based but not as widely used for DevSecOps.

49
MCQmedium

An organization has identified a new vulnerability in its web application that could allow SQL injection attacks. Which of the following sources would MOST likely have been used to identify this vulnerability?

A.CIS Benchmarks
B.NVD
C.SAST
D.DISA STIG
AnswerC

SAST scans source code for security flaws such as SQL injection.

Why this answer

SAST (Static Application Security Testing) analyzes source code for vulnerabilities like SQL injection before deployment, making it a key tool for identifying application vulnerabilities.

50
Multi-Selectmedium

A risk practitioner is updating the risk register and needs to categorize risks. Which TWO of the following are standard risk categories used in IT risk management?

Select 2 answers
A.Budgetary
B.Strategic
C.Technical
D.Environmental
E.Operational
AnswersB, E

Strategic risk relates to high-level business goals.

Why this answer

Strategic and operational are standard risk categories. Financial and reputational are also common, but the question asks for the two that are standard in IT risk management frameworks. Both strategic and operational are universally recognized.

51
MCQmedium

A security team is using the STRIDE threat modeling methodology for a new web application. Which threat type under STRIDE would be MOST relevant to a SQL injection vulnerability?

A.Repudiation
B.Information Disclosure
C.Spoofing
D.Tampering
AnswerD

Tampering involves malicious modification of data or code.

Why this answer

SQL injection allows an attacker to tamper with data, violating integrity. STRIDE includes Tampering as the threat that involves unauthorized modification of data.

52
MCQhard

A risk practitioner is developing a risk scenario for a potential ransomware attack. Using the ISACA risk scenario template, which element describes the entity that initiates the attack?

A.Event
B.Threat type
C.Actor
D.Asset/Resource
AnswerC

Actor is the entity that performs the threat action.

Why this answer

In the ISACA risk scenario template, the 'Actor' element specifically identifies the entity that initiates or perpetrates the attack. For a ransomware attack, the actor could be an external hacker, a malicious insider, or a cybercriminal group, making option C the correct choice.

Exam trap

The trap here is confusing 'Actor' with 'Threat type' because both relate to the threat, but the Actor is the who (initiator) while Threat type is the what (category of threat).

How to eliminate wrong answers

Option A is wrong because 'Event' describes the specific incident or occurrence (e.g., ransomware encryption of files), not the initiating entity. Option B is wrong because 'Threat type' categorizes the nature of the threat (e.g., malware, social engineering), not the actor behind it. Option D is wrong because 'Asset/Resource' refers to the target or affected component (e.g., database, server), not the entity that launches the attack.

53
MCQmedium

A company is adopting a DevSecOps approach and wants to conduct threat modeling early in the development lifecycle. Which threat modeling methodology is BEST suited for this environment due to its focus on agile and continuous integration?

A.TRIKE
B.VAST
C.STRIDE
D.PASTA
AnswerB

VAST is Visual, Agile, and Simple, tailored for DevSecOps.

Why this answer

VAST is designed for DevSecOps as it integrates with agile development and provides visual, actionable threat models that can be continuously updated.

54
Multi-Selectmedium

Which THREE of the following are common consequences in an IT risk scenario?

Select 3 answers
A.Financial loss
B.Increased market share
C.Employee satisfaction
D.Regulatory penalty
E.Reputational damage
AnswersA, D, E

Direct monetary impact.

Why this answer

Financial loss, regulatory penalty, and reputational damage are typical consequences in risk scenarios.

55
Multi-Selecthard

A critical infrastructure organization is enhancing its threat identification capabilities. The risk team wants to leverage threat intelligence sources to identify emerging threats. Which THREE sources are most relevant for obtaining actionable threat intelligence?

Select 3 answers
A.Commercial threat feeds
B.OSINT (Open Source Intelligence)
C.Government advisories (e.g., CISA KEV)
D.Social media monitoring
E.ISACs (Information Sharing and Analysis Centers)
AnswersB, C, E

OSINT includes publicly available information such as forums, social media, and threat reports, providing broad threat visibility.

Why this answer

OSINT provides open-source threat data, ISACs offer sector-specific intelligence, and government advisories (e.g., CISA KEV) provide authoritative information on exploited vulnerabilities. Commercial feeds are useful but not always actionable or free.

56
Multi-Selecthard

A project manager is identifying risks for a new software development project using Agile methodology. Which THREE threat modeling techniques are BEST suited for Agile/DevSecOps environments?

Select 3 answers
A.TRIKE
B.VAST
C.Attack trees
D.STRIDE
E.PASTA
AnswersB, D, E

VAST is designed for Agile and DevSecOps.

Why this answer

STRIDE is lightweight and can be used in Agile. PASTA is more comprehensive but can be adapted. VAST is specifically designed for Agile and DevSecOps.

TRIKE is more requirements-heavy and less suited for Agile.

57
MCQhard

A risk practitioner is connecting a risk scenario to business impact. The scenario involves a ransomware attack that encrypts critical financial systems, resulting in a two-week outage. Which of the following is the MOST appropriate business impact category?

A.Regulatory penalty
B.Reputational damage
C.Operational disruption
D.Financial loss
AnswerC

System outage directly disrupts operations.

Why this answer

Operational disruption directly affects the organization's ability to conduct business operations, such as system outages. While financial loss may result, the primary impact is operational disruption.

58
MCQhard

In the context of threat modeling for a web application, which technique is specifically designed to be integrated into Agile and DevSecOps processes, emphasizing collaboration and visualization?

A.VAST
B.STRIDE
C.TRIKE
D.PASTA
AnswerA

VAST is built for Agile and DevSecOps with visual collaboration.

Why this answer

VAST (Visual, Agile, and Simple Threat modeling) is tailored for Agile and DevSecOps environments.

59
MCQhard

During a risk assessment, the risk practitioner develops a scenario involving a disgruntled employee exfiltrating sensitive customer data through a USB drive. The organization has a strict policy against removable media but lacks technical controls to prevent USB usage. Which element of the risk scenario is the vulnerability?

A.Data exfiltration
B.Lack of technical controls to prevent USB usage
C.Disgruntled employee
D.Sensitive customer data
AnswerB

This is the weakness that can be exploited.

Why this answer

The vulnerability is the lack of technical controls to prevent USB usage, which is a weakness that can be exploited by the threat actor (disgruntled employee) to cause the threat event (data exfiltration).

60
MCQeasy

Which of the following best describes risk capacity?

A.The acceptable risk level for each risk category
B.The total risk identified in the risk universe
C.The amount of risk the organization is willing to accept
D.The maximum risk the organization can absorb before threatening viability
AnswerD

Correct definition of risk capacity.

Why this answer

Risk capacity is the maximum level of risk an organization can absorb before its viability is threatened.

61
MCQeasy

Which of the following is a key characteristic of a well-maintained risk register?

A.It is maintained solely by the IT department
B.It is static and reviewed annually
C.It is updated regularly to reflect changes
D.It includes only high-impact risks
AnswerC

Regular updates ensure the register remains relevant.

Why this answer

A risk register must be dynamic and updated as new risks emerge or existing risks change. Regular review and updates are essential for its effectiveness.

62
Multi-Selecthard

A risk practitioner is using the TRIKE threat modeling methodology. Which TWO of the following are characteristics of TRIKE?

Select 2 answers
A.It is a requirements-based model
B.It is designed for analyzing denial-of-service threats
C.It is a visual, agile methodology for DevSecOps
D.It uses actor and asset views
E.It focuses on attack trees and threat libraries
AnswersA, D

TRIKE starts from requirements.

Why this answer

TRIKE is requirements-based and uses actor- and asset-centric views.

63
MCQmedium

A risk practitioner is creating a risk scenario for a ransomware attack. Which of the following is the BEST sequence to describe the scenario using the ISACA risk scenarios template?

A.Asset/resource, event, threat actor, timing, detection, response, threat type
B.Threat type, event, asset/resource, threat actor, timing, detection, response
C.Threat actor, threat type, event, asset/resource, timing, detection, response
D.Event, threat actor, asset/resource, timing, detection, response, threat type
AnswerC

Why this answer

The correct sequence in a risk scenario is: threat actor -> threat type -> event -> asset/resource -> timing -> detection -> response. This structure helps in understanding the complete chain of events leading to impact.

64
MCQeasy

An organization is conducting a vulnerability assessment of its IT assets. Which of the following sources is MOST authoritative for identifying known software vulnerabilities?

A.DISA STIGs
B.OWASP Top 10
C.NVD (National Vulnerability Database)
D.CIS Benchmarks
AnswerC

NVD is the primary source for CVE data.

Why this answer

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data, including CVEs, making it the most authoritative source.

65
Multi-Selecteasy

A risk register is being created for a new ERP implementation project. Which TWO of the following risks should be included in the project's risk register? (Choose two.)

Select 2 answers
A.Risk of data breach due to misconfigured cloud storage
B.Risk of regulatory non-compliance with new data protection laws
C.Risk of project delays due to resource shortages
D.Risk of budget overrun due to scope creep
E.Risk of hardware failure in the data center
AnswersC, D

Correct. Resource shortage is a common project risk.

Why this answer

Project risks include delays, budget overruns, and scope changes. Data breach and regulatory non-compliance are operational/compliance risks that may apply post-implementation but are not specific to the project's execution.

66
MCQhard

An organization uses the PASTA threat modeling methodology for a new e-commerce platform. Which of the following is a key characteristic of PASTA?

A.It is a requirements-based model that uses a risk management perspective
B.It uses visual diagrams to represent threats in an agile manner
C.It emphasizes business impact analysis and attack simulation
D.It focuses on agile development and integrates with DevSecOps
AnswerC

Why this answer

PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric threat modeling methodology that includes business impact analysis and attack simulation, aligning security with business objectives.

67
MCQmedium

A security analyst is reviewing CVE entries and NVD data to identify vulnerabilities in software assets. This activity is part of which vulnerability identification approach?

A.Configuration vulnerability assessment
B.Application vulnerability identification
C.Operational vulnerability identification
D.Asset-based vulnerability identification
AnswerD

Asset-based identification uses CVE/NVD to find known vulnerabilities in assets.

Why this answer

CVE and NVD are databases for known software vulnerabilities, aligning with asset-based vulnerability identification.

68
MCQeasy

Which of the following best describes the purpose of an IT risk universe?

A.A catalog of all IT assets and their vulnerabilities
B.A list of all past security incidents
C.A set of risk scenarios used for quantitative analysis
D.A comprehensive inventory of all potential IT risks facing the organization
AnswerD

Correct definition of IT risk universe.

Why this answer

The IT risk universe is a comprehensive inventory of all potential IT risks that could affect the organization, serving as a foundational input for risk identification and assessment.

69
MCQmedium

During a threat modeling exercise for a new web application, the team uses STRIDE. Which threat type under STRIDE corresponds to an attacker modifying data in transit?

A.Repudiation
B.Information Disclosure
C.Tampering
D.Spoofing
AnswerC

Tampering is the unauthorized modification of data.

Why this answer

Tampering refers to unauthorized modification of data, which is a threat type in STRIDE.

70
Multi-Selectmedium

A risk analyst is identifying operational vulnerabilities. Which TWO of the following are examples of operational vulnerability identification?

Select 2 answers
A.Reviewing CIS Benchmarks for server configuration
B.Analyzing SQL injection flaws in code
C.Scanning for missing patches using a vulnerability scanner
D.Discovering lack of security awareness training
E.Identifying inadequate access controls
AnswersD, E

Training gaps are operational.

Why this answer

Operational vulnerabilities include process gaps and training gaps, not technical configuration or code flaws.

71
MCQeasy

Which of the following is a primary source of threat intelligence that provides real-time information about active cyber threats and indicators of compromise?

A.OSINT
B.OWASP Top 10
C.CIS Benchmarks
D.NVD
AnswerA

OSINT provides open-source threat data including IOCs.

Why this answer

Open Source Intelligence (OSINT) includes publicly available data like threat feeds and forums.

72
Multi-Selecthard

A company is implementing a risk identification process for third-party risks. Which THREE factors should be considered when identifying risks from a critical software vendor?

Select 3 answers
A.Number of employees at vendor
B.Vendor's compliance with relevant regulations
C.Service level agreements (SLAs)
D.Vendor's history of security incidents
E.Vendor's financial stability
AnswersB, D, E

Non-compliance can result in liability for the organization.

Why this answer

Financial health affects vendor stability, regulatory compliance affects legal risk, and security incidents affect operational risk. Service level agreements are contractual, not risk factors per se.

73
MCQmedium

A company's risk appetite statement specifies that the organization is willing to accept a moderate level of operational risk to achieve strategic agility. This statement directly influences which activity during IT risk identification?

A.Defining the IT risk universe
B.Determining the risk capacity of the organization
C.Establishing risk tolerance thresholds for operational risk
D.Selecting threat intelligence sources
AnswerC

Risk appetite translates into tolerance thresholds that guide risk identification and evaluation.

Why this answer

Risk appetite guides which risks are acceptable and helps prioritize risk scenarios, influencing the scope of risk identification.

74
Multi-Selectmedium

Which THREE of the following are common business impact categories used in risk scenarios?

Select 3 answers
A.Reputational damage
B.Financial loss
C.Strategic misalignment
D.Regulatory penalty
E.Technical downtime
AnswersA, B, D

Why this answer

Common business impact categories include financial loss, regulatory penalty, and reputational damage. Technical downtime is a cause, not an impact category; strategic misalignment is a risk factor.

75
MCQhard

An organization has a risk appetite statement that says 'We accept up to $5 million in operational losses per year.' However, a new cloud migration project is estimated to have a potential operational loss of $8 million if a critical failure occurs. The risk capacity of the organization is $20 million. What should the risk practitioner recommend?

A.Reject the project because the risk exceeds the risk appetite
B.Implement risk treatment measures to reduce the potential loss to below $5 million
C.Increase the risk appetite to $8 million to align with the project
D.Accept the risk because the risk capacity is $20 million
AnswerB

Why this answer

The risk tolerance threshold ($5 million) is exceeded by the potential loss ($8 million). The risk appetite is the amount of risk the organization is willing to accept, and this scenario exceeds it. While the risk capacity is higher, the appetite is not met, so risk treatment is needed to bring the residual risk within the tolerance.

Page 1 of 2 · 95 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Crisc Risk Identification questions.

CCNA Crisc Risk Identification Questions — Page 1 of 2 | Courseiva