Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 5.2 (Explain elements of the risk management process) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A security manager is calculating the financial impact of a single data breach. She estimates the cost of one breach at $150,000 and expects it could happen twice a year. What is the Annualized Loss Expectancy (ALE)?
#2. Which of the following BEST describes an organization’s willingness to take on risk in pursuit of its objectives?
#3. A company regularly schedules assessments to identify and quantify risks across all departments. What type of risk assessment is this?
#4. A financial institution wants to minimize the impact of cyberattacks by shifting some of the risk to a third party. What strategy is being used?
#5. Given: SLE = $50,000; ARO = 0.5. What is the ALE?
#6. Which of the following metrics estimates how long it will take to recover a failed component or service?
#7. A security team identifies an old, unpatched server but decides to document it as an exception due to operational needs. What risk strategy is this?
#8. A retail company defines the maximum tolerable amount of data loss during a disruption. What is this metric called?
#9. A company’s board decides to stop offering a vulnerable service that posed a legal risk. This is an example of which risk strategy?
#10. Which metric refers to the maximum amount of time that an organization can tolerate a system outage before critical impact occurs?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | A security manager is calculating the financial impact of a single data breach. She estimates the cost of one breach at $150,000 and expects it could happen twice a year. What is the Annualized Loss Expectancy (ALE)? A. $75,000 (Incorrect): This value is not derived from the ALE formula. It is half of the Single Loss Expectancy. B. $150,000 (Incorrect): This is the Single Loss Expectancy (SLE), not the Annualized Loss Expectancy. C. $300,000 (Correct): The Annualized Loss Expectancy (ALE) is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO). In this case, the cost of one breach is the SLE ($150,000), and it is expected to happen twice a year, so the ARO is 2. The calculation is: $150,000 (SLE) x 2 (ARO) = $300,000 (ALE). D. $450,000 (Incorrect): This value is not derived from the ALE formula. It is three times the Single Loss Expectancy. |
| 2 | C | Which of the following BEST describes an organization’s willingness to take on risk in pursuit of its objectives? A. Risk threshold (Incorrect): A risk threshold is a specific, measurable limit that indicates a point at which a risk is no longer acceptable. It’s a hard line, not the general willingness to take on risk. B. Risk register (Incorrect): A risk register is a document used to record and track identified risks. It is a tool for managing risk, not a description of an organization’s attitude toward it. C. Risk appetite (Correct): Risk appetite is the term that BEST describes an organization’s overall willingness to accept or retain risk in pursuit of its goals and objectives. It is a high-level strategic decision that sets the tone for all risk-related activities. D. Exposure factor (Incorrect): The exposure factor is a percentage representing the likely loss of an asset’s value if a specific threat is realized. It is a component of risk calculation, not a statement of risk willingness. |
| 3 | D | A company regularly schedules assessments to identify and quantify risks across all departments. What type of risk assessment is this? A. One-time (Incorrect): A one-time assessment is performed only once and is not part of a regular schedule. B. Continuous (Incorrect): While similar to recurring, a continuous assessment is typically a more real-time, automated, and ongoing process that doesn’t necessarily rely on a fixed schedule. C. Ad hoc (Incorrect): An ad hoc assessment is performed as needed or in response to a specific event, not as part of a regular, predefined schedule. D. Recurring (Correct): A recurring risk assessment is one that is performed at regular, scheduled intervals (e.g., monthly, quarterly, or annually). This directly matches the scenario of a company that “regularly schedules assessments” to continuously monitor its risk posture. |
| 4 | D | A financial institution wants to minimize the impact of cyberattacks by shifting some of the risk to a third party. What strategy is being used? A. Avoidance (Incorrect): Avoidance is the strategy of eliminating a risk entirely by no longer performing the activity that introduces the risk. The company is not avoiding cyberattacks; it is dealing with their potential impact. B. Mitigation (Incorrect): Mitigation involves reducing the likelihood or impact of a risk through security controls. While a company would implement mitigation controls, the specific action of shifting the risk to a third party is not mitigation itself. C. Acceptance (Incorrect): Acceptance is the strategy of taking no action against a risk and accepting the potential loss. The company is taking a deliberate action by shifting the risk, so it is not accepting it. D. Transfer (Correct): Transferring risk involves shifting some or all of the financial burden and responsibility of a risk to a third party. The most common example of this in cybersecurity is purchasing cyber insurance, which covers some of the costs associated with a data breach or cyberattack, thereby shifting a portion of the risk to the insurer. |
| 5 | A | Given: SLE = $50,000; ARO = 0.5. What is the ALE? A. $25,000 (Correct): The Annualized Loss Expectancy (ALE) is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO). In this case, the SLE is $50,000 and the ARO is 0.5 (meaning it is expected to happen once every two years). The calculation is: $50,000 (SLE) x 0.5 (ARO) = $25,000 (ALE). B. $50,000 (Incorrect): This is the Single Loss Expectancy (SLE), not the Annualized Loss Expectancy. C. $75,000 (Incorrect): This value is not derived from the ALE formula. D. $100,000 (Incorrect): This value would be the result if the ARO was 2 instead of 0.5. |
| 6 | C | Which of the following metrics estimates how long it will take to recover a failed component or service? A. MTBF (Incorrect): MTBF (Mean Time Between Failures) measures the average time a component or service operates successfully between failures. It’s a metric of reliability, not recovery. B. RTO (Incorrect): RTO (Recovery Time Objective) is the maximum acceptable downtime for a business function after a disaster. It’s a business continuity goal, not a technical recovery metric. C. MTTR (Correct): MTTR stands for Mean Time To Recover (or Repair/Restore). This metric is an estimate of the average time it will take to repair a failed component or service and return it to operational status. D. RPO (Incorrect): RPO (Recovery Point Objective) is the maximum acceptable data loss after a disruption. It’s a metric for data, not time. |
| 7 | D | A security team identifies an old, unpatched server but decides to document it as an exception due to operational needs. What risk strategy is this? A. Mitigation (Incorrect): Mitigation involves implementing controls to reduce the likelihood or impact of a risk. The team is choosing not to mitigate the risk at this time. B. Avoidance (Incorrect): Risk avoidance means eliminating the risk by ceasing the activity that causes it (e.g., decommissioning the server). The company is keeping the server in operation. C. Transfer (Incorrect): Risk transfer involves shifting the financial burden of a risk to a third party, typically through insurance. This is not what the company is doing. D. Acceptance (Correct): Risk acceptance is the strategy of acknowledging a risk and choosing to take no immediate action to reduce or eliminate it. In this scenario, the security team recognizes the risk of the unpatched server but, due to operational needs, decides to document it as an exception and tolerate the potential consequences. |
| 8 | B | A retail company defines the maximum tolerable amount of data loss during a disruption. What is this metric called? A. RTO (Incorrect): RTO (Recovery Time Objective) is the maximum acceptable amount of time a business function can be offline after a disruption. It is a time metric, not a data loss metric. B. RPO (Correct): The Recovery Point Objective (RPO) is the metric that defines the maximum tolerable amount of data loss, typically measured in time (e.g., the last hour of data), that a business is willing to accept during a disruption. C. SLE (Incorrect): SLE (Single Loss Expectancy) is the financial loss from a single risk event. It is a cost metric, not a data loss metric. D. MTBF (Incorrect): MTBF (Mean Time Between Failures) is a metric for the average time a system operates before it fails. It is a reliability metric, not a data loss metric. |
| 9 | B | A company’s board decides to stop offering a vulnerable service that posed a legal risk. This is an example of which risk strategy? A. Transfer (Incorrect): Risk transfer involves shifting the financial burden or responsibility of a risk to a third party, such as through insurance. The company is not shifting the risk; it is eliminating it. B. Avoidance (Correct): Risk avoidance is the strategy of completely eliminating a risk by no longer engaging in the activity that creates it. In this case, the company is stopping a vulnerable service to eliminate the associated legal risk, which is a textbook example of risk avoidance. C. Acceptance (Incorrect): Risk acceptance involves knowingly tolerating a risk without taking action to reduce it. The company is taking a deliberate action to eliminate the risk, so it is not accepting it. D. Mitigation (Incorrect): Risk mitigation involves reducing the likelihood or impact of a risk. While fixing the vulnerability would be mitigation, stopping the service entirely is a more complete action of avoidance. |
| 10 | A | Which metric refers to the maximum amount of time that an organization can tolerate a system outage before critical impact occurs? A. RTO (Correct): The Recovery Time Objective (RTO) is the metric that defines the maximum amount of time a business can tolerate a system outage before a critical impact occurs. It’s a key business continuity metric that sets the target for how quickly a system must be restored. B. RPO (Incorrect): RPO (Recovery Point Objective) is the maximum amount of data that a business is willing to lose, typically measured in time (e.g., the last hour of data). C. ALE (Incorrect): ALE (Annualized Loss Expectancy) is a quantitative risk assessment metric that estimates the total financial loss from a specific risk over a year. D. MTTR (Incorrect): MTTR (Mean Time To Recover) is the average time it takes a team to fix a failed component or service and return it to an operational state. It is a technical metric, whereas RTO is a business goal. |