CCNA Crisc Risk Identification Questions

20 of 95 questions · Page 2/2 · Crisc Risk Identification topic · Answers revealed

76
MCQmedium

A security analyst is using a threat modeling approach that focuses on identifying threats based on the system's requirements and design. Which threat modeling methodology is being used?

A.TRIKE
B.STRIDE
C.VAST
D.PASTA
AnswerA

TRIKE uses requirements and design to identify threats within a risk management framework.

Why this answer

TRIKE is a requirements-based threat modeling methodology that uses a risk management framework to identify threats based on system requirements.

77
MCQmedium

A bank is identifying IT risks and categorizes a potential data breach as both a compliance risk (due to GDPR) and a reputational risk. This is an example of:

A.Multiple risk categories for a single risk
B.Risk aggregation
C.Improper risk classification
D.Risk scenario overlap
AnswerA

A risk can impact multiple categories simultaneously.

Why this answer

A single risk can belong to multiple categories; this is normal in risk categorization.

78
MCQeasy

An organization is developing its IT risk universe. Which of the following is the BEST source of information for identifying potential IT risks?

A.Threat intelligence feeds from ISACs
B.Industry benchmarking reports
C.Results from the latest internal audit
D.Historical loss data from the finance department
AnswerA

ISACs provide timely, relevant threat intelligence for the organization's sector.

Why this answer

The IT risk universe should encompass all potential IT risks. Threat intelligence feeds provide current information on emerging threats, helping to identify risks that may not be captured by historical data or internal assessments alone.

79
MCQeasy

An organization's board has issued a risk appetite statement indicating that the company is willing to accept a moderate level of operational risk but has zero tolerance for compliance violations. This statement primarily defines which of the following?

A.Risk tolerance thresholds
B.Risk criteria
C.Risk appetite
D.Risk capacity
AnswerC

This statement defines the organization's risk appetite for operational and compliance risks.

Why this answer

Risk appetite is the amount of risk the organization is willing to accept in pursuit of its objectives. The board's statement sets the overall appetite for different risk categories.

80
MCQmedium

An organization is conducting a threat identification exercise using the STRIDE model. Which threat type would be MOST relevant when analyzing a banking application that allows fund transfers between accounts?

A.Tampering
B.Repudiation
C.Spoofing
D.Information Disclosure
AnswerA

Correct. Tampering involves unauthorized changes to data, such as modifying transfer details.

Why this answer

STRIDE includes: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Tampering is the unauthorized modification of data, directly relevant to fund transfers where transaction amounts or destinations could be altered.

81
MCQmedium

A risk scenario is being developed for a phishing attack leading to credential theft. Using ISACA's risk scenario template, which component would describe the 'threat event'?

A.A user clicks a malicious link in a phishing email
B.The organization's email security filter fails to block the phishing email
C.The attacker is an organized crime group based overseas
D.The compromised credentials are used to access a financial system
AnswerA

Correct. This is the specific event that initiates the risk.

Why this answer

The threat event is the action that triggers the risk scenario. In this case, 'A user clicks a malicious link in a phishing email' is the event that leads to the compromise.

82
MCQhard

A risk practitioner is developing a risk scenario for a data breach caused by an insider threat. Which of the following is the MOST realistic and complete risk scenario?

A.A disgruntled employee with excessive access privileges exfiltrates customer data to a competitor, resulting in a $2 million loss.
B.A careless employee leaves a laptop unencrypted, leading to data loss, but no financial impact.
C.An external hacker uses stolen credentials to access the network and steal data, causing reputational damage.
D.A script kiddie launches a DDoS attack that disrupts service for 2 hours, causing no data loss.
AnswerA

Why this answer

Option C describes a complete scenario: a threat actor (disgruntled employee) with a motive, a threat event (exfiltration), a vulnerability (excessive access), and a consequence (financial loss). Other options lack one element (e.g., no vulnerability or incomplete consequence).

83
MCQeasy

During IT risk identification, which document serves as the central repository for all identified risks, their characteristics, and current status?

A.Threat model
B.Vulnerability database
C.Business impact analysis
D.Risk register
AnswerD

The risk register is the central repository for all identified risks.

Why this answer

The risk register is the formal document that captures all identified risks, their attributes, and ongoing management status.

84
MCQeasy

During a risk assessment, the risk practitioner is identifying threats to an application. Which threat modeling technique is specifically designed to analyze application threats using categories such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege?

A.STRIDE
B.VAST
C.TRIKE
D.PASTA
AnswerA

Why this answer

STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is a threat modeling technique developed by Microsoft for identifying application security threats.

85
MCQmedium

An organization uses the CISA Known Exploited Vulnerabilities (KEV) catalog as a primary source for vulnerability identification. This catalog is BEST described as:

A.An application vulnerability scanning tool
B.A commercial threat intelligence feed
C.A configuration vulnerability assessment benchmark
D.A list of known exploited vulnerabilities maintained by the US government
AnswerD

CISA KEV is a government-maintained catalog of exploited vulnerabilities.

Why this answer

CISA KEV lists vulnerabilities that have been actively exploited in the wild, providing prioritized vulnerability intelligence.

86
Multi-Selectmedium

A risk practitioner is developing risk scenarios for a new cloud service. Which THREE of the following elements should be included in a complete risk scenario?

Select 3 answers
A.Threat event
B.Threat actor
C.Consequence
D.Response plan
E.Detection mechanism
AnswersA, B, C

Why this answer

A complete risk scenario includes a threat actor, a threat event, and a consequence. Asset/resource is also important but not listed in the options; timing, detection, and response are supplementary. The three core elements from the list are threat actor, threat event, and consequence.

87
Multi-Selecteasy

An IT risk manager is categorizing risks identified during a recent assessment. Which TWO categories would include the risk of a system outage caused by a software bug?

Select 2 answers
A.Operational risk
B.Compliance risk
C.Strategic risk
D.Financial risk
E.Reputational risk
AnswersA, D

System outages are operational failures.

Why this answer

A system outage due to a software bug is an operational risk (failure in IT operations) and can also be considered a financial risk if it leads to revenue loss or penalties.

88
MCQmedium

An organization is implementing a new cloud-based customer relationship management (CRM) system. Which of the following risk categories would BEST describe the risk of the CRM system failing to meet performance expectations?

A.Compliance risk
B.Strategic risk
C.Operational risk
D.Reputational risk
AnswerC

System performance failure is an operational risk.

Why this answer

Operational risk includes failures in internal processes, people, systems, or external events. Performance failure of a new system is an operational risk.

89
Multi-Selecteasy

An organization is creating a risk register for its IT risk universe. The risk manager needs to categorize risks to align with the enterprise risk management framework. Which TWO risk categories are most commonly used in IT risk identification?

Select 2 answers
A.Operational
B.Financial
C.Reputational
D.Compliance
E.Strategic
AnswersA, D

Operational risk covers IT system failures, process errors, and disruptions, making it a key category for IT risks.

Why this answer

Operational risk includes IT failures, and compliance risk includes regulatory violations. Strategic, financial, and reputational are also common but less directly tied to IT risk identification.

90
MCQhard

A risk practitioner is using the ISACA risk scenario template to document a scenario. The template includes elements such as threat actor, threat type, event, asset/resource, timing, detection, and response. Which element describes the likelihood that the threat event will occur within a specific timeframe?

A.Threat type
B.Timing
C.Response
D.Detection
AnswerB

Timing addresses when the event could occur and its probability within that period.

Why this answer

The 'timing' element in the ISACA scenario template captures when the event might occur and the likelihood within that timeframe, which is a key factor in determining risk probability.

91
MCQmedium

An organization is updating its IT risk universe. Which of the following is the MOST important factor to consider when defining the universe?

A.Historical loss data only
B.All potential IT risks regardless of likelihood, including cyber, operational, compliance, third-party, project, and change risks
C.Risks that are within the current budget to mitigate
D.Only risks that have been realized in the past year
AnswerB

The universe should be exhaustive to ensure no risks are overlooked.

Why this answer

The risk universe should be comprehensive, covering all potential risks from various sources.

92
MCQmedium

A risk analyst is building a risk register. After identifying a list of risks, what is the NEXT step in the risk identification process according to ISACA best practices?

A.Assign risk owners
B.Categorize the risks
C.Determine risk response
D.Assess the inherent risk level
AnswerB

Categorization is the next logical step to organize risks.

Why this answer

After identification, risks should be categorized to enable proper analysis and response. Categorization helps in understanding the nature of each risk and assigning ownership.

93
MCQmedium

When using STRIDE for threat modeling, which threat category involves an attacker gaining unauthorized access to a system by pretending to be a legitimate user?

A.Repudiation
B.Information Disclosure
C.Tampering
D.Spoofing
AnswerD

Spoofing involves impersonation to gain unauthorized access.

Why this answer

Spoofing in STRIDE refers to impersonating something or someone else to gain unauthorized access, such as using stolen credentials.

94
MCQmedium

Which of the following threat actors is MOST likely to be motivated by financial gain and possess moderate to high technical capabilities?

A.Organized crime
B.Hacktivist
C.Nation-state APT
D.Script kiddie
AnswerA

Organized crime is financially motivated and can have high technical capabilities.

Why this answer

Organized crime groups are primarily motivated by financial gain and often have sophisticated technical skills to carry out attacks such as ransomware, data theft, or fraud.

95
MCQmedium

In developing a risk scenario, connecting a threat event to business impact is crucial. Which of the following is the BEST example of a properly connected risk scenario?

A.A firewall misconfiguration allows unauthorized access, causing a security incident.
B.A ransomware attack encrypts files, leading to IT department overtime.
C.An insider steals data, leading to legal fees.
D.A DDoS attack causes website unavailability for 4 hours, resulting in $500,000 lost sales and customer churn.
AnswerD

Clearly connects the event to financial and reputational impact.

Why this answer

A proper connection shows the chain from threat to impact on business.

← PreviousPage 2 of 2 · 95 questions total

Ready to test yourself?

Try a timed practice session using only Crisc Risk Identification questions.