c. Economic balance between the impact of risks and the cost of protective measures

d. Legal balance between the impact of risks and the cost of protective measures

85. c. The aim of a risk analysis is to help systems management strike an economic balance between the impact of risks and the cost of protective measures. It lists risks first and protective measures second.

86. To estimate the losses likely to occur when a threat is realized or a vulnerability is exploited, which of the following loss categories allow management the best means to estimate their potential losses?

a. Single occurrence loss, actual loss

b. Expected loss, catastrophic loss

c. Catastrophic loss, actual loss

d. Expected loss, single occurrence loss

86. d. Two loss categories are usually identified, including (i) losses caused by threats with reasonably predictable occurrence rates, referred to as expected losses expressed as dollars per year and are computed as the product of occurrence rate, loss potential, and vulnerability factor, and (ii) losses caused by threats with a very low rate of occurrence (low-probability) that is difficult to estimate but the threat would cause a very high loss if it were to occur (high-consequence risk), referred to as a single occurrence loss and is expressed as the product of loss potential, vulnerability factor, and asset value. A catastrophic loss is referred to as a loss greater than its equity. An actual loss is the amount of assets or lives lost. Both catastrophic loss and actual loss do not enter into risk assessment because they are not estimable.

87. From a security accountability viewpoint, which of the following pose a security risk?

a. Executives and contractors

b. Full-time employees and contingent workers

c. Executives and full-time employees

d. Vendors and consultants

87. b. Most executives have an employment contract listing security policies, practices, procedures, and penalties for noncompliance of such policies and practices. Contractors, vendors, and consultants are bound by formal rules of engagement. Full-time employees operate under an employment-at-will arrangement; employees have no formal contract and can leave the company or the employer can terminate employment at any time. Contingent workers are part-time and short-time workers (temporary) and have no formal contract. In the absence of a formal contract or rules of engagement, it is difficult for the company to enforce or punish the full-time employees and contingent workers if they violate security policies and practices. Therefore, full-time employees and contingent workers are not truly accountable for the security in the absence of a formal contract (i.e., not legally bound and not enforceable), thus posing a security risk to the company.

88. What is the last thing to do upon friendly termination of an employee?

a. Conduct an exit interview.

b. Disable computer access immediately.

c. Take possession of keys and cards.

d. Send the employee to a career counselor.

88. d. The safest and first thing to do is to (i) disable computer access immediately, which should be a standard procedure, (ii) conduct an exit interview, and (iii) take possession of access keys and cards. The employee can be sent to a career counselor afterward (last thing).

89. Which of the following statements is true about data classification and application categorization for sensitivity?

a. Data classification and application categorization is the same.

b. There are clear-cut views on data classification and application categorization.

c. Data classification and application categorization must be organization-specific.

d. It is easy to use simple data classification and application categorization schemes.

89. c. No two organizations are the same, and it is especially true in cross-industries. For example, what works for a governmental organization may not work for a commercial organization. An example of data classification is critically sensitive, highly sensitive, sensitive, and nonsensitive.

90. What is the least effective technique for continually educating users in information systems security?

a. Presenting security awareness video programs

b. Posting policies on the intranet websites

c. Presenting one-size-fits-all security briefings

d. Declaring security awareness days

90. c. It is good to avoid a one-size-fits-all type of security briefing. It is important to relate security concerns to the specific risks faced by users in individual business units or groups and to ensure that security is an everyday consideration. Lax security can cost money and time. Security awareness is inexpensive and less time-consuming compared to installing security countermeasures.

91. Trustworthy information systems are defined as:

1. Operating within defined levels of risk

2. Handling environmental disruptions

3. Handling human errors

4. Handling purposeful attacks

a. 1 only

b. 3 only

c. 4 only

d. 1, 2, 3, and 4

91. d. Trustworthy information systems are those systems capable of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks expected to occur in the specified environments of operation.

92. Which of the following combinations of conditions can put the IT assets at the most risk of loss?

a. System interconnectivity and poor security management

b. System interconnectivity and poor controls over data sensitivity

c. System interconnectivity and lack of system backups

d. System interconnectivity and inadequate physical security

92. a. Poor security management does not proactively and systematically assess risks, monitor the effectiveness of security controls, and respond to identified problems. This situation can become much weaker with interconnected systems where the risk is the greatest. The other three choices are the result of poor security management.

93. An IT security training program is a part of which of the following control categories?

a. Application controls

b. General controls

c. Administrative controls

d. Technical controls

93. c. The security-training program is a part of administrative controls, which in turn, can be a part of management controls. Application controls relate to a specific application system, whereas general controls relate to a computer center. Technical controls can be useful in both application and general areas.

94. What is the last step when an insider violates a security policy?

a. Verbal warning

b. Dismissal

c. Legal action

d. Written warning

94. c. When an insider violates security policy, the first step is a verbal warning, followed by a written warning, dismissal, and the final step of legal action.