CompTIA Security+ Practice Test of the Day 260406

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 5.2 (Explain elements of the risk management process) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260406

10 questions • Single best answer

Question 1

A risk manager at a financial services firm is conducting a BIA for the online trading platform. She must define the maximum time the platform can be offline before customers suffer unacceptable losses and regulators impose penalties. Which BIA metric captures this threshold?

A. Recovery Point Objective (RPO) B. Mean Time to Repair (MTTR) C. Recovery Time Objective (RTO) D. Mean Time Between Failures (MTBF)

Question 2

After a ransomware attack, the incident response team finds the most recent clean backup is 18 hours old. Management reveals the organization had defined a maximum acceptable data loss of 4 hours. Which BIA metric was violated?

A. RTO B. MTTR C. MTBF D. RPO

Question 3

A security manager presents a risk committee with a heat map showing risks rated High, Medium, and Low — based on expert judgment and stakeholder workshops — without using specific monetary figures. Which type of risk analysis is being performed?

A. Quantitative B. Risk transfer analysis C. Qualitative D. Exposure factor analysis

Question 4

A security analyst determines that a database server is valued at $400,000 and that a successful breach would compromise 25% of its value. What is the Single Loss Expectancy (SLE) for this scenario?

A. $400,000 B. $200,000 C. $100,000 D. $160,000

Question 5

An analyst calculates that the SLE for a phishing-driven credential compromise is $30,000 and that such events occur approximately four times per year based on historical data. What is the Annualized Loss Expectancy (ALE)?

A. $7,500 B. $30,000 C. $60,000 D. $120,000

Question 6

A startup aggressively pursues new markets, accepts elevated cybersecurity risks to outpace competitors, and allocates minimal resources to compliance programs that would slow product development. Which risk appetite posture BEST describes this organization?

A. Conservative B. Neutral C. Expansionary D. Risk avoidance

Question 7

A healthcare organization purchases a $5 million cyber liability insurance policy covering patient data breach notification costs, regulatory fines, and legal fees. Which risk management strategy does this represent?

A. Risk avoidance B. Risk acceptance C. Risk mitigation D. Risk transfer

Question 8

A legacy payroll application cannot support MFA due to technical limitations. The risk manager documents the gap and receives formal CISO approval to operate without MFA for 90 days while a replacement system is procured. Which risk acceptance type does this represent?

A. Risk exemption B. Risk tolerance C. Risk exception D. Risk threshold

Question 9

A security team maintains a centralized document listing each identified risk, the individual accountable for managing it, the escalation trigger point, and metrics used to track whether the risk is worsening. Which governance artifact does this describe?

A. Business impact analysis B. Risk register C. Security operations runbook D. Incident response plan

Question 10

A financial institution uses automated tools and real-time threat intelligence to continuously evaluate the risk posture of all production systems — reassessing whenever new vulnerabilities are disclosed or configurations change, rather than on a fixed schedule. Which type of risk assessment is this?