CompTIA Security+ Practice Test of the Day 260406

The risk management team at a regional hospital is conducting an annual review of its cybersecurity investment strategy. The board of directors has communicated that the organization is willing to accept higher levels of risk in exchange for lower operational costs and faster deployment of new telemedicine services, as the hospital aggressively pursues digital expansion. The team notes that this posture is reflected in management's willingness to delay patching non-critical systems, deploy new cloud services without completing full security assessments, and maintain minimal cybersecurity insurance coverage. Which term BEST describes the organization's overall strategic stance toward risk-taking?

A risk analyst at a financial services firm is tasked with calculating the annualized cost of risk associated with ransomware attacks on the organization's transaction processing servers. The analyst determines that a single successful ransomware attack would result in $500,000 in total damages, including recovery costs, lost revenue, and regulatory fines. Historical incident data and threat intelligence indicate that the organization experiences approximately two ransomware incidents per year on average. The analyst uses these figures to calculate the annualized loss expectancy (ALE) in order to justify budget for a new endpoint detection and response (EDR) solution. What is the ALE the analyst should report?

A security governance team at a large logistics company is implementing a formal risk management program for the first time. The team needs a centralized artifact that will document all identified risks, assign an accountable owner to each risk, record the likelihood and impact ratings from the risk assessment, track the current treatment strategy selected for each risk, and define threshold values that will trigger re-evaluation or escalation when a risk's measured indicators exceed acceptable limits. The program manager wants this document to become the living, authoritative source of record for all security and operational risks across the enterprise. Which risk management artifact is the program manager describing?

The CISO of a regional e-commerce company is presenting risk treatment options to the board of directors. One identified risk involves a potential large-scale customer data breach that could result in regulatory fines, class-action legal liability, and forensic investigation costs totaling an estimated $3 million. The CISO acknowledges that the organization will continue to implement technical security controls to reduce the likelihood of a breach. However, the residual financial exposure after those controls are applied is still too large for the organization to absorb internally. The CISO recommends acquiring a cyber liability insurance policy to shift the potential financial burden to a third party. Which risk management strategy is the CISO recommending?

A GRC analyst at a government contracting firm is reviewing a formal request submitted by the software development team. The team has identified a legacy application used by one government client that cannot be updated to comply with the organization's mandatory multi-factor authentication (MFA) policy — the vendor has reached end-of-life and will not release further updates, and the application architecture does not support modern authentication integration. The development team has documented compensating controls, obtained management sign-off, and submitted a formal request for this specific application to be permanently excluded from the MFA requirement based on the technical impossibility of compliance. Which risk acceptance mechanism BEST describes what the development team is requesting?

An IT continuity planner at an online banking platform is conducting a business impact analysis (BIA) for the core transaction processing system. After consulting with business unit leaders and legal counsel, the planner establishes two key recovery benchmarks: the system must be restored to full operation within four hours of a failure to prevent unacceptable customer impact and regulatory violation; and no more than 15 minutes of transaction data can be lost in a failure scenario without triggering financial reconciliation obligations and potential regulatory reporting requirements. These figures will drive decisions about backup strategies, data replication solutions, and failover architecture. Which pair of metrics do these two benchmarks represent, respectively?

A security manager at a mid-sized university is leading a risk assessment of the institution's student records management system. The assessment team includes IT staff, legal counsel, and representatives from student services. Because comprehensive historical breach data is unavailable for university systems of this type, and because many of the most significant potential impacts — including reputational harm and erosion of student trust — are difficult to express in precise dollar figures, the team decides to characterize risks using a high, medium, and low rating scale combined with a heat map to communicate findings to senior leadership. Which type of risk analysis is the team performing?

A systems reliability engineer at a telecommunications provider is reviewing performance data for the organization's core network routing infrastructure over the past 12 months. The engineer is preparing a report that includes two key operational metrics: the average time required for the team to diagnose and restore a routing component after it fails; and the average duration the routing components operate continuously between failures without requiring intervention. These metrics will be used to evaluate whether the current infrastructure meets contractual service level agreements and to identify areas where maintenance practices or component quality should be improved. Which pair of metrics is the engineer reporting, in the order described?

A newly appointed CISO at a pharmaceutical company has discovered that risk assessments have historically been performed only in response to specific triggering events — such as after a regulatory audit finding, following a data breach at a peer organization, or when a new system is being onboarded. There is no scheduled, periodic review of the overall risk posture, and no automated tools continuously collecting risk indicator data. As part of the organization's risk management maturity improvement program, the CISO wants to implement a model in which risk indicators are evaluated in real time using automated monitoring, telemetry feeds, and integrated threat intelligence — allowing the risk posture to be updated dynamically as conditions change rather than only after discrete events. Which type of risk assessment is the CISO proposing to adopt?

A risk management analyst at a national healthcare insurer has completed the organization's annual risk assessment cycle and must now communicate the findings to multiple distinct audiences. For the board of directors, the analyst must present a high-level view of the organization's top risks, their potential business impact, the current risk appetite, and whether aggregate risk exposure has increased or decreased compared to the prior year. For the security operations team, the analyst must provide detailed technical findings, specific risk ratings for each identified vulnerability, identified control gaps, and prioritized remediation recommendations. The analyst recognizes that the appropriate format and level of detail must differ significantly for each audience. Which risk management activity does this communication function represent?