Quiz: What Is Cybersecurity?

DataField.Dev

Quiz: What Is Cybersecurity?

A 25-question self-check covering the chapter's vocabulary and mental models. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] A weakness in a system that could be used to cause harm is best called a: A. threat B. vulnerability C. exploit D. risk

2. "Risk equals likelihood times impact" implies that a catastrophic outcome that genuinely cannot occur has a risk of: A. maximum B. moderate C. zero D. undefined

3. [Sec+] Which of the following is an exploit rather than a vulnerability? A. an unpatched server B. a default password C. a script that submits the default password to log in D. a flat network

4. A ransomware attack that encrypts files but neither steals nor alters them primarily violates: A. confidentiality B. integrity C. availability D. non-repudiation

5. [CISSP] The principle that you should design every layer assuming the layer in front of it has already failed is called: A. least privilege B. defense in depth / assume breach C. separation of duties D. fail-open

6. The single best reason that a newly internet-connected server is attacked within minutes is: A. it was specifically targeted B. insider sabotage C. indiscriminate automated scanning D. a misconfigured DNS record

7. [Sec+] Which term names the total set of points where an attacker could attempt entry? A. threat surface B. attack surface C. risk register D. kill chain

8. The thing a security program can never reduce to zero is: A. compliance B. residual risk C. uptime D. the attack surface

9. Of people, process, and technology, the Meridian near-miss was ultimately saved most directly by a control choice that falls under: A. technology, backed by process and people B. compliance only C. luck D. insurance

10. [CISSP] Preserving the accuracy and unaltered state of data is the triad property called: A. confidentiality B. integrity C. availability D. accountability

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

11. "A vulnerability with no realistic threat against it still represents high risk."

12. [Sec+] "Compliance with PCI-DSS guarantees an organization is secure."

13. "Because attackers only need to succeed once, perfect prevention is the correct goal of a security program."

14. "Availability failures, such as ransomware, can be more damaging than data theft."

15. "An asset inventory is optional; you can secure systems you don't know you have."

Section 3 — Fill in the blank (1 pt each)

16. The relationship among the core terms: a _ uses an _ to abuse a __ in an asset, producing harm.

17. A measure that reduces risk by breaking the risk chain is called a __.

18. [Sec+] The three properties of the CIA triad are confidentiality, _, and _.

19. Risk-based __ is the practice of using risk scores to decide what to fix first.

20. The structural fact that attackers need to be right once while defenders must be right every time is called the offense/defense __.

Section 4 — Short answer (2 pts each)

21. [CISSP] Explain, in two or three sentences, why security is described as "a process, not a product." Reference at least two of people, process, and technology.

22. A finding scores likelihood 2 × impact 5 = 10; another scores 5 × 2 = 10. Explain what the equal scores do and do not tell a defender, and name one piece of information that would help break the tie.

23. Describe one concrete advantage the defender holds despite the offense/defense asymmetry, and explain how a security team turns that advantage into a practical capability.

Section 5 — Applied scenario (5 pts)

24. Meridian discovers that a departed contractor's account is still active and has access to a file share containing loan documents. (a) Identify the asset, the vulnerability, the threat, and a plausible exploit. (b) Assign likelihood and impact (1–5) with justification and compute the risk score and band. (c) Recommend one immediate control and name the residual risk that remains after it.

25. [Sec+] In two or three sentences, place yourself: which of the four learning paths (SOC Analyst, Security Engineer, GRC, Certification Prep) best matches your current goal, and which two chapters from the outline are you most eager to reach? (No wrong answers — this question checks that you can navigate the book.)

Answer Key

Click to reveal answers and explanations

1. **B** — a weakness is a vulnerability. 2. **C** — anything × 0 = 0; impossible outcomes carry no risk. 3. **C** — the *act* of using a weakness is the exploit; the others are weaknesses/conditions. 4. **C** — data is unreadable but not disclosed or altered: an availability attack. 5. **B** — defense in depth / assume breach. 6. **C** — indiscriminate automated scanning targets everything. 7. **B** — attack surface. 8. **B** — residual risk is never zero. 9. **A** — phishing-resistant authentication (technology) backed by rollout (process) and reporting (people). 10. **B** — integrity. 11. **F** — low likelihood drives risk down regardless of the vulnerability's existence. 12. **F** — compliance is the floor, not the ceiling. 13. **F** — perfect prevention is impossible; detection and response are essential. 14. **T** — for many organizations, loss of availability halts operations entirely. 15. **F** — you cannot protect unknown assets; inventory is foundational. 16. threat actor; exploit; vulnerability. 17. control (safeguard/countermeasure). 18. integrity; availability. 19. prioritization. 20. asymmetry. 21. Security must be continuously operated: technology decays and must be maintained, processes drift and must be reviewed, and people change and must be trained — a one-time purchase cannot do this. 22. Equal scores mean equal *modeled* risk and equal claim on attention, but not identical character; exploitability data (e.g., is the high-likelihood one being actively exploited?) or asset criticality would break the tie. 23. The defender knows and controls the terrain and can instrument it so the attacker's actions generate evidence; collecting and monitoring that telemetry (Chapters 10, 21) turns home-field knowledge into detection. 24. (a) asset = loan documents/file share; vulnerability = active orphaned account; threat = the former contractor or anyone who obtains the credentials; exploit = logging in with the still-valid credentials. (b) e.g., likelihood 3, impact 4 → score 12, HIGH (reasonable judgments vary). (c) immediate control = disable the account; residual risk = other orphaned accounts may exist and the access may already have been misused — which motivates the identity-governance work of Chapter 18. 25. Self-assessment; full credit for a coherent path choice and two correctly located chapters. **Topics to review by question:** missed 1–5 → §1.2; 6–7, 11 → §1.3–1.4; 8 → §1.2 (residual risk); 9, 21 → §1.7; 4, 10, 14, 18 → §1.5; 24 → §1.2 + §1.4.