midterm rand

Question 1

What was the effect of employee training on breach costs?

Answer 1

Organizations with high levels of employee training had breach costs USD 950,000 lower than those with low training levels.

Question 2

What factor led to the biggest cost savings in preventing data breaches?

Answer 2

Extensive use of AI and automation in prevention, saving an average of USD 2.2 million.

Question 3

How much lower were breach costs when AI and automation were used in detection, investigation, and response?

Answer 3

Between 33-43% lower compared to organizations that didn’t use AI.

Question 4

What type of data breach was the most expensive?

Answer 4

Breaches involving public cloud data, costing USD 5.17 million on average.

Question 5

What type of stored data took the longest to contain?

Answer 5

Public cloud data breaches, taking 23.3% longer than on-premises breaches.

Question 6

What is the definition of risk?

Answer 6

The effect of uncertainty on objectives​

Question 7

What is risk management?

Answer 7

Coordinated activities to direct and control an organization regarding risk.

Question 8

What are the three main components of risk?

Answer 8

Threat, vulnerability, and impact.

Question 9

What is a threat?

Answer 9

A potential cause of an unwanted incident

Question 10

What is vulnerability?

Answer 10

A weakness that can be exploited by a threat​

Question 11

What is impact in risk management?

Answer 11

The consequences of an event affecting objectives

Question 12

What are the steps in risk management?

Answer 12

Identify, assess, evaluate, treat, monitor, and review​

Question 13

What is risk avoidance?

Answer 13

A strategy to eliminate the risk by not engaging in the activity

Question 14

What is risk reduction?

Answer 14

Taking actions to minimize the likelihood or impact of a risk​

Question 15

What is risk transfer?

Answer 15

Shifting the risk to a third party (e.g., insurance)

Question 16

What does ISO 31000 focus on?

Answer 16

Risk management principles, framework, and processes

Question 16

What is risk acceptance?

Answer 16

A decision to take no action and accept the potential consequences​

Question 17

What does ISO/IEC 27005 focus on?

Answer 17

Information security risk management​

Question 18

What is the NIST Risk Management Framework (SP 800-37)?

Answer 18

A structured process integrating security and privacy risk management

Question 19

What is a control in risk management?

Answer 19

A measure taken to reduce risk

Question 20

What is qualitative risk analysis?

Answer 20

A subjective assessment of risk impact and likelihood

Question 20

What is inherent risk?

Answer 20

The risk level before any mitigation measures

Question 21

What is residual risk?

Answer 21

The remaining risk after risk treatment measures are applied

Question 22

What is risk aggregation?

Answer 22

The process of combining multiple risks for a holistic view​

Question 23

What is quantitative risk analysis?

Answer 23

A numerical approach to assessing risk

Question 24

What is an advanced persistent threat (APT)?

Answer 24

A prolonged cyberattack by a well-funded group​

Question 25

What is the MITRE ATT&CK framework?

Answer 25

A knowledge base of cyber adversary tactics and techniques

Question 26

What is an intrusion detection system (IDS)?

Answer 26

A system that monitors for malicious activity or policy violations

Question 27

What is an intrusion prevention system (IPS)?

Answer 27

A system that actively blocks detected threats​

Question 28

What is the principle of least privilege (PoLP)?

Answer 28

Giving users only the access they need to perform their jobs

Question 29

What is the difference between black-box and white-box testing?

Answer 29

Black-box: No internal knowledge. White-box: Full knowledge of system​

Question 30

What is the NIST Cybersecurity Framework (CSF)?

Answer 30

A framework providing guidelines for managing cybersecurity risk

Question 31

What are some common risk management standards?

Answer 31

ISO 31000, ISO/IEC 27005, NIST SP 800-39

Question 32

What is residual risk?

Answer 32

The remaining risk after implementing risk treatment measures

Question 33

What is a risk register?

Answer 33

A document listing identified risks, their severity, and mitigation strategies

Question 34

What is the difference between qualitative and quantitative risk analysis?

Answer 34

Qualitative is subjective, while quantitative assigns numerical values

Question 35

What does the NIS Directive define as risk?

Answer 35

Any reasonably identifiable event with a potential adverse effect on information systems​

Question 36

What is an example of a sector-specific risk management standard?

Answer 36

ISO 14971 for medical devices

Question 37

What is the Common Criteria (CC) framework used for?

Answer 37

Evaluating the security of ICT products​

Question 38

What is the EBIOS method?

Answer 38

A French risk assessment methodology

Question 39

What is the BowTie method?

Answer 39

A widely used qualitative risk analysis model

Question 40

What is ISO 31000 known for?

Answer 40

Risk management principles and guidelines

Question 41

What are ICT products?

Answer 41

ICT (Information and Communication Technology) products include hardware, software, and services used for communication, data processing, and information management

Question 42

Why are ICT products important in risk management?

Answer 42

They are essential for securing digital infrastructure, protecting data, and ensuring business continuity​

Question 43

Can you give examples of ICT products?

Answer 43

/Hardware: Computers, servers, networking devices, IoT devices
/Software: Operating systems, cybersecurity tools, cloud platforms
/Services: Cloud computing, cybersecurity solutions, data storage services