Sample Quiz Questions
Module 1:
1. What is the primary aim of Cybersecurity Risk Quantification (CRQ)?
a. To automate the process of risk assessment
b. To convert risk uncertainty into numerical values for better decision-making
c. To eliminate cybersecurity risks entirely
d. To comply with regulatory requirements
2. Which of the following is NOT one of the three modern CRQ frameworks discussed?
a. Factor Analysis of Information Risk (FAIR)
b. Facilitated Risk Analysis Process (FRAP)
c. Common Vulnerability Scoring System (CVSS)
d. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
3. According to the module, which challenge was faced in early efforts to quantify cybersecurity risk?
a. Lack of computational power
b. Difficulty combining subjective judgments with data
c. Overreliance on historical data
d. Resistance from leadership
4. Which statement best describes the OCTAVE framework?
a. A financial risk quantification model
b. Focused on operational risk and security practices
c. Designed for fast, simple risk analysis
d. An open standard for presenting risk factors
5. The FAIR model is characterized as:
a. A qualitative approach to risk analysis
b. A modern Value-at-Risk model for financial risk quantification
c. Focused on developing security strategies
d. An open source vulnerability analysis tool
6. Which is NOT listed as a benefit of adopting a standard risk management framework like ISO 31000?
a. Improved identification of threats
b. Effective allocation of resources
c. Increased likelihood of achieving objectives
d. Elimination of all cybersecurity risks
7. According to NIST SP 800-30, risk framing establishes:
a. The risk assessment methods to be used
b. The risk management strategy and context
c. The vulnerabilities to be analyzed
d. Compliance with regulatory requirements
8. Which role is responsible for collecting and analyzing data to identify risk trends and patterns?
a. Risk Analyst
b. Data Analyst
c. Risk Manager
d. Cybersecurity Expert
9. Which skill is described as “understanding an organization’s business model, operations and financials”?
a. Quantitative Analysis
b. Risk Assessment
c. Business Acumen
d. Ethical Hacking
10. Which of the following combinations correctly matches the roles with their responsibilities?
a. Risk Analysts develop strategies, Data Analysts implement controls, Risk Managers ensure compliance, Cybersecurity Experts identify risks.
b. Risk Analysts identify risks, Data Analysts analyze data, Risk Managers oversee program, Cybersecurity Experts mitigate cyber risks.
c. Risk Analysts and Data Analysts quantify risk, Risk Managers allocate resources, Cybersecurity Experts monitor systems.
d. Risk Analysts implement controls, Data Analysts identify trends, Risk Managers assess impact, Cybersecurity Experts develop strategies.
Module 1 Answers:
1. b
2. c
3. b
4. b
5. b
6. d
7. b
8. b
9. c
10. b
Module 2:
1. What is the purpose of vulnerability data analysis?
a. To identify all vulnerabilities in an organization’s systems
b. To prioritize the remediation of vulnerabilities based on their potential impact
c. To assign Common Vulnerability Enumeration (CVE) scores
d. To collect vulnerability data from scanning tools
2. The Common Vulnerability Enumeration (CVE) score is a metric assigned by vendors to assess the severity of a vulnerability. Why is it important to consider more than just the CVE score?
a. The CVE score does not account for the specific context and potential impact on an organization
b. The CVE score is only a measure of the likelihood that a vulnerability will be exploited
c. The CVE score determines the priority for vulnerability remediation without considering other factors
d. The CVE score quantifies the impact of a vulnerability on an organization’s assets
3. What is the difference between tactics and techniques in the context of cyber attacks?
a. Tactics refer to an attacker’s overall goals or objectives, while techniques refer to the specific methods used to achieve those goals
b. Tactics and techniques are the same things used interchangeably
c. Tactics refer to the methods used by attackers, and techniques refer to the overall goals
d. Tactics are only used in advanced persistent threats (APTs), while techniques are used in all cyber attacks
4. What is the first step in the vulnerability analysis process?
a. Tagging the vulnerability data
b. Collecting vulnerability data using a scanning tool
c. Generating charts and reports
d. Quantifying the threat and estimating likelihood
5. Why is the vulnerability description field critical in vulnerability data analysis?
a. It provides the Common Vulnerability Enumeration (CVE) score
b. It lists the affected software and vendors
c. It provides details on the nature of the vulnerability, its source, and how a threat actor can exploit it
d. It is required for compliance purposes
6. Explain the concept of using wildcards when grouping vulnerabilities by keywords.
a. Wildcards are used to combine different vulnerability descriptions into a single group
b. Wildcards are used to exclude certain vulnerabilities from the analysis
c. Wildcards are used to match variations in terminology used to describe the same vulnerability condition
d. Wildcards are used to create custom vulnerability scores
7. Which of the following is the correct order of stages in the typical attack sequence?
a. Exploitation, initial compromise, lateral movement, escalation of privileges, data exfiltration, destruction
b. Initial compromise, escalation of privileges, lateral movement, exploitation, data exfiltration, destruction
c. Lateral movement, escalation of privileges, initial compromise, exploitation, destruction, data exfiltration
d. Data exfiltration, exploitation, lateral movement, initial compromise, escalation of privileges, destruction
8. What is the purpose of the MITRE ATT&CK model?
a. To categorize vulnerabilities based on their severity
b. To provide a comprehensive framework for understanding and categorizing the tactics, techniques, and procedures (TTPs) used by attackers during a cyber attack
c. To automate the vulnerability remediation process
d. To collect vulnerability data from scanning tools
9. How can the MITRE ATT&CK model help organizations defend against advanced persistent threats (APTs)?
a. By breaking down the attack cycle into discrete phases and techniques, allowing organizations to implement effective defenses at each phase
b. By providing a list of recommended security controls to prevent APTs
c. By automating the incident response process for APTs
d. By assigning risk scores to different types of APTs
10. When grouping vulnerabilities by vendor, what type of keywords should be used?
a. Vendor-specific keywords, such as product names or version numbers
b. Software-specific keywords, such as programming languages or frameworks
c. Protocol-specific keywords, such as communication protocols or networking terms
d. Attack-related keywords, such as common exploit or attack types
Module 2 Answers:
1. b
2. a
3. a
4. b
5. c
6. c
7. b
8. b
9. a
10. a
Module 3:
1. What is the primary purpose of quantifying cyber risk?
a. To comply with industry regulations
b. To support critical business decisions
c. To identify all potential vulnerabilities
d. To develop a comprehensive risk management plan
2. Which of the following is NOT a method for measuring threat in risk analysis?
a. Vulnerability analysis
b. Threat modeling
c. Scenario analysis
d. Compliance auditing
3. What is the difference between risk analysis and risk assessment?
a. Risk analysis focuses on operational risks, while risk assessment focuses on compliance risks
b. Risk analysis involves quantifying risk, while risk assessment does not
c. Risk analysis is proactive, while risk assessment is reactive
d. There is no difference; the terms are interchangeable
4. What is the purpose of risk quantification in resource allocation?
a. To identify and prioritize cyber risk management efforts
b. To develop effective risk management strategies
c. To ensure business continuity during a cyber-attack
d. All of the above
5. Which of the following is NOT a potential impact of a cyber-attack?
a. Financial impact
b. Operational impact
c. Reputational impact
d. Regulatory compliance impact
6. Which of the following is NOT a method for developing attack scenarios?
a. Analyzing current attacks
b. Decomposing current attacks
c. Building attack scenarios based on vulnerability analysis
d. Conducting a risk assessment
7. What is the primary purpose of developing attack scenarios?
a. To identify all potential vulnerabilities
b. To comply with industry regulations
c. To support the analysis of risk
d. To develop a comprehensive risk management plan
8. Which of the following is NOT a recommended source for developing attack scenarios?
a. OWASP Top Ten Web Application Security Risks
b. Verizon Data Breach Investigations Report
c. Industry-specific cyber statistics
d. Compliance auditing reports
9. What is the purpose of decomposing current attacks when developing attack scenarios?
a. To identify the initial entry point of the attack
b. To identify the techniques used to move laterally within the network
c. To identify the data that was targeted and the techniques used to exfiltrate it
d. All of the above
10. Which of the following is NOT a recommended method for estimating likelihood in risk analysis?
a. Statistical analysis
b. Expert elicitation
c. Simulation
d. Compliance auditing
11. What is the difference between risk and impact?
a. Risk is the likelihood of an event occurring, while impact is the potential consequence of the event
b. Risk and impact are the same thing
c. Risk is a measure of compliance, while impact is a measure of operational risk
d. Risk is a proactive measure, while impact is a reactive measure
12. How is impact used in risk analysis?
a. To identify potential vulnerabilities
b. To rate the criticality of the risk
c. To develop attack scenarios
d. To comply with industry regulations
13. Which of the following is a potential financial impact of a cyber-attack?
a. Legal fees
b. Remediation costs
c. Lost revenue
d. All of the above
14. What is the purpose of using the equation “Threat x Likelihood = Risk” in risk analysis?
a. To calculate the risk of an event occurring
b. To calculate the potential financial impact of an event
c. To identify potential vulnerabilities
d. To develop attack scenarios
15. Which of the following is a method for weighting factors in multi-criteria risk analysis?
a. Basic weighting
b. Special weighting
c. Qualitative factors
d. All of the above
Module 3 Answers:
1. b
2. d
3. a
4. d
5. d
6. d
7. c
8. d
9. d
10. d
11. a
12. b
13. d
14. a
15. d
Module 4:
1. What is the first step in making decisions in the face of uncertainty?
a. Gather all possible information
b. Identify the problem or issue
c. Make a random guess
d. Wait for more information
2. Which method for quantifying risk involves calculating the probability of different outcomes by generating random samples from probability distributions?
a. Basic probability equations
b. Bayesian inference
c. Monte Carlo simulations
d. All of the above
3. If two events A and B are mutually exclusive, what is the probability of both occurring?
a. P(A) + P(B)
b. P(A) * P(B)
c. 0
d. 1
4. What is the term for the probability of an event A occurring given that another event B has already occurred?
a. Joint probability
b. Marginal probability
c. Conditional probability
d. Bayesian probability
5. In a Bayesian inference calculation, P(A) represents:
a. The prior probability of A occurring
b. The likelihood of the evidence given A
c. The posterior probability of A
d. None of the above
6. What does the Bayesian Box visually represent?
a. Marginal probabilities
b. Joint probabilities
c. Conditional probabilities
d. Both b and c
7. If the probability of network intrusion is 0.3, what is the probability of no network intrusion?
a. 0.3
b. 0.7
c. 1
d. Cannot be determined
8. In a probability tree, how is the joint probability of two events calculated?
a. By adding their individual probabilities
b. By multiplying their individual probabilities
c. By dividing one probability by the other
d. By squaring one probability
9. Which word is used in conditional probability to describe the intersection of two events?
a. And
b. Or
c. Not
d. Both a and b
10. Bayes’ Theorem allows you to:
a. Calculate prior probabilities
b. Update beliefs as new evidence becomes available
c. Determine if events are independent or not
d. Simulate random events
Module 4 Answers:
1. b
2. c
3. c
4. c
5. a
6. d
7. b
8. b
9. a
10. b
Module 5:
1. What is the purpose of Monte Carlo simulations?
a. To generate probability distributions
b. To predict stock market trends
c. To analyze weather patterns
d. To design computer chips
2. Which distribution is defined by three parameters: minimum, maximum, and mode?
a. Poisson distribution
b. Bernoulli distribution
c. Triangular distribution
d. Binomial distribution
3. What is the PERT distribution used for?
a. Estimating the probability of completing a project within a given time frame
b. Modeling the occurrence of rare events
c. Describing the number of successes in a fixed number of trials
d. Analyzing weather patterns
4. In the context of the FAIR model, what does “Threat Event Frequency” refer to?
a. The estimated impact of a risk scenario on the organization’s objectives
b. The effectiveness of controls in place to mitigate a risk scenario
c. The estimated frequency of a specific risk scenario occurring
d. The weakness in a system that could be exploited by a threat actor
5. What is the purpose of the “Control Strength” component in the FAIR model?
a. To estimate the likelihood of a risk scenario being realized
b. To prioritize risks and determine the most effective way to manage them
c. To describe a potential source of risk and its consequences
d. To measure the impact of a risk scenario on the organization’s objectives
6. Which distribution is used to model the number of events occurring within a specified time interval or space?
a. Poisson distribution
b. Bernoulli distribution
c. Triangular distribution
d. Binomial distribution
7. In the FAIR model, what does “Vulnerability” refer to?
a. The estimated impact of a risk scenario on the organization’s objectives
b. A weakness in a system that could be exploited by a threat actor
c. The effectiveness of controls in place to mitigate a risk scenario
d. The estimated frequency of a specific risk scenario occurring
8. What is the purpose of the “Risk Treatment” component in the FAIR model?
a. To estimate the likelihood of a risk scenario being realized
b. To prioritize risks and determine the most effective way to manage them
c. To describe a potential source of risk and its consequences
d. To measure the impact of a risk scenario on the organization’s objectives
9. Which distribution is used to model the number of successes in a fixed number of independent trials?
a. Poisson distribution
b. Bernoulli distribution
c. Triangular distribution
d. Binomial distribution
10. In the context of the FAIR model, what does “Threat Event Impact” refer to?
a. The estimated frequency of a specific risk scenario occurring
b. The estimated impact of a risk scenario on the organization’s objectives
c. The effectiveness of controls in place to mitigate a risk scenario
d. A weakness in a system that could be exploited by a threat actor
Module 5 Answers:
1. a
2. c
3. a
4. c
5. a
6. a
7. b
8. b
9. d
10. b