SSCP · topic practice

Risk Identification, Monitoring and Analysis practice questions

Practise Systems Security Certified Practitioner SSCP Risk Identification, Monitoring and Analysis practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Risk Identification, Monitoring and Analysis

What the exam tests

What to know about Risk Identification, Monitoring and Analysis

Risk Identification, Monitoring and Analysis questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Risk Identification, Monitoring and Analysis exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Risk Identification, Monitoring and Analysis questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full VPN explanation →

A security analyst notices repeated failed login attempts from a single IP address on the VPN gateway. The analyst adjusts the threshold for account lockout and enables geo-ip blocking. This activity is part of which risk management process?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?

A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?

An organization wants to identify risks related to a new cloud-based customer relationship management (CRM) system. Which approach would best identify threats and vulnerabilities specific to this system?

After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?

A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A security team discovers that an employee's credentials were used to access the HR database from an unrecognized IP address in a foreign country. The employee is currently in the office. Which risk identification technique is most directly responsible for detecting this anomaly?

During a risk assessment, the team identifies that a critical database server is not included in the backup schedule. Which risk term best describes this condition?

Which TWO of the following are primary purposes of a risk register?

Which THREE of the following are common techniques for identifying risks?

Which TWO of the following are examples of key risk indicators (KRIs)?

Question 12mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst reviews these logs from a server. What immediate risk is most indicated by this log pattern?

Exhibit

Refer to the exhibit.

Oct 15 09:23:45 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:46 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:47 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:48 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:49 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. Which risk is most directly introduced by this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::example-bucket",
      "Principal": "*"
    }
  ]
}
Question 14hardmultiple choice
Open the full VLAN trunking answer →

You are the security analyst for a mid-sized e-commerce company that processes credit card payments. The company uses a legacy payment application on a Windows Server 2012 R2 system, which is scheduled for decommission in six months. The server is isolated in a separate VLAN with strict firewall rules allowing only outbound HTTPS to the payment processor and inbound management from a jump box on a different subnet. During a routine vulnerability scan, you discover that the server is missing over 50 critical patches, including one for a remote code execution vulnerability (CVE-2023-XXXX) that is being actively exploited in the wild. The server cannot be patched because the vendor stopped support and patches are not available. The company's risk appetite is low due to PCI DSS requirements. You need to recommend a course of action that balances risk reduction with business continuity. What should you do?

You are a risk analyst at a healthcare organization. The organization recently deployed a new electronic health records (EHR) system. During the first month of operation, the IT helpdesk received multiple reports from doctors that the system becomes unresponsive for 10-15 seconds several times a day. The EHR vendor attributes this to insufficient database connection pooling, but the organization's system administrator notes that the database server's CPU and memory utilization never exceed 30%. The organization has a risk management policy that requires any system with availability <99.5% to be treated as a high risk. Based on initial data, the system has been unavailable for about 0.1% of the time (excluding planned maintenance). However, doctors report that the brief unresponsiveness is causing frustration and potential misdiagnosis due to interrupted workflows. You need to recommend a risk treatment approach. What should you do?

Question 16mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps for properly disposing of a hard drive containing sensitive data into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall

IDS

Backup restoration

Warning signs

Match each security policy type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines proper use of resources

Requirements for password strength

Categorizes data sensitivity

Procedures for handling breaches

A security analyst notices a sudden increase in failed login attempts from a single IP address across multiple user accounts. Which risk response strategy is most appropriate to implement immediately?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Risk Identification, Monitoring and Analysis sessions

Start a Risk Identification, Monitoring and Analysis only practice session

Every question in these sessions is drawn from the Risk Identification, Monitoring and Analysis domain — nothing else.

Related practice questions

Related SSCP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SSCP exam test about Risk Identification, Monitoring and Analysis?
Risk Identification, Monitoring and Analysis questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Risk Identification, Monitoring and Analysis questions in a focused session?
Yes — the session launcher on this page draws every question from the Risk Identification, Monitoring and Analysis domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SSCP topics?
Use the topic links above to move to related areas, or go back to the SSCP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SSCP exam covers. They are not copied from any real exam or dump site.