CompTIA Security+ Practice Test of the Day 260526

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 5.2 (Explain elements of the risk management process) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260526

10 questions • Single best answer

Question 1

A risk analyst at a manufacturing company calculates that a production server failure occurs on average twice per year and each occurrence costs $50,000. What is the annualized loss expectancy (ALE)?

A. $25,000 B. $50,000 C. $100,000 D. $150,000

Question 2

A security manager reviews the organization's risk register and finds a risk flagged as exceeding the board-approved risk threshold. What should happen next according to risk management best practices?

A. The risk should be accepted and monitored quarterly B. The risk should be escalated and a mitigation strategy implemented C. The risk register entry should be removed and reclassified D. The risk should be transferred to a third party immediately

Question 3

An organization decides to purchase cyber liability insurance to offset the financial impact of a potential data breach. Which risk management strategy does this represent?

A. Risk avoidance B. Risk mitigation C. Risk transfer D. Risk acceptance

Question 4

A qualitative risk assessment assigns risks a rating of Low, Medium, High, or Critical based on interviews and expert judgment rather than financial figures. When would qualitative analysis be PREFERRED over quantitative?

A. When precise dollar values for assets and losses are available B. When actuarial data from past incidents exists for statistical modeling C. When data is limited and speed of assessment is prioritized over precision D. When the organization needs to calculate ALE and SLE for the board

Question 5

Following a business impact analysis (BIA), a retail company determines that its e-commerce platform must be restored within 4 hours after a failure, and no more than 1 hour of transaction data can be lost. Which metrics do these represent?

A. MTBF and MTTR B. RTO and RPO C. ARO and SLE D. SLA and MOU

Question 6

A company's board approves a risk appetite statement that supports expanding into new markets even when doing so introduces moderate cybersecurity risk. Which risk appetite category does this reflect?

A. Conservative B. Neutral C. Expansionary D. Risk avoidant

Question 7

A security team formally documents all identified risks, their likelihood, impact, current controls, and assigned owners in a centralized document. What is this document called?

A. Risk assessment report B. Risk register C. Business impact analysis D. Threat intelligence report

Question 8

A risk owner at a logistics company approves continued operation of an aging ERP system despite known vulnerabilities, because the cost to replace it exceeds the projected risk cost. After formal documentation, this decision represents which risk strategy?

A. Risk mitigation B. Risk transfer C. Risk avoidance D. Risk acceptance

Question 9

An organization performs a risk assessment only after a major security incident, rather than on a scheduled or ongoing basis. Which type of risk assessment schedule does this represent?

A. Recurring B. Continuous C. One-time D. Ad hoc

Question 10

A security governance team defines the maximum level of risk the organization is willing to accept without requiring further action. Which risk management concept does this define?