Page 1 of 38
WGU - D487 OA EXAM | {LATEST 2026/ 2027
UPDATE} COMPLETE ACTUAL AND AUTHENTIC
EXAM | BRAND NEW!
How does the DREAD model rank security risks? - ✔✔✔ Correct
Answer > Uses a scale from 0 to 10 for each factor
What is the primary difference between STRIDE and DREAD in
threat modeling? - ✔✔✔ Correct Answer > STRIDE identifies types of
threats, while DREAD ranks and prioritizes risks.
STRIDE = Threat categorization model
DREAD = Risk assessment model
STRIDE - ✔✔✔ Correct Answer > Spoofing (Impersonating
another user)
Tampering (Modifying data maliciously)
Repudiation (Denying actions taken)
Information disclosure (Leaking sensitive data)
Denial of Service (Disrupting service availability)
Elevation of Privilege (Gaining unauthorized access)
,Page 2 of 38
DREAD - ✔✔✔ Correct Answer > Damage Potential (How severe is
the impact?)
Reproducibility (How easily can the attack be repeated?)
Exploitability (How easy is it to exploit?)
Affected Users (How many people are impacted?)
Discoverability (How easy is it to find the vulnerability?)
Which model is best suited for threat classification vs. risk
assessment? - ✔✔✔ Correct Answer > STRIDE is best for classifying
threats, while DREAD is best for prioritizing them.
STRIDE = Helps identify and categorize threats.
DREAD = Helps rank threats based on impact.
Which mitigation technique can be used to fight against a data
tampering threat? - ✔✔✔ Correct Answer > Digital signatures = Digital
signatures ensure data integrity and authenticity by verifying that
the data has not been altered in transit. This prevents attackers
from tampering with data without detection.
What is a countermeasure to the web application security frame
(ASF) configuration management threat category? - ✔✔✔ Correct
Answer > Service accounts have no administration capabilities.
,Page 3 of 38
Which type of requirement specifies that user passwords will
require a minimum of 8 characters, must include one uppercase
letter, one number, and one special character? - ✔✔✔ Correct Answer
> Security requirement
Explanation:
A security requirement defines rules that enhance system
protection against unauthorized access and vulnerabilities.
Which type of requirement specifies that credit card numbers are
designated as highly sensitive confidential personal information?
- ✔✔✔ Correct Answer > Data classification requirement
Explanation:
A Data Classification Requirement categorizes information based
on its sensitivity, confidentiality, and handling requirements.
Credit card numbers are classified as highly sensitive data under
standards like PCI DSS, requiring encryption, limited access, and
protection mechanisms.
This classification ensures proper security measures are applied
to protect personal and financial information.
Which privacy impact statement requirement type defines how
personal information is protected on devic es used by more than
a single associate? - ✔✔✔ Correct Answer > Privacy control
requirements
, Page 4 of 38
Explanation:
Privacy control requirements focus on establishing rules and
safeguards to protect personal information when multiple users
share a device.
These controls include data encryption, anonymization, access
logs, and user permissions to prevent unauthorized access or
misuse of sensitive data.
They help ensure compliance with privacy regulations (e.g.,
GDPR, CCPA, HIPAA).
In which step of the PASTA threat modeling methodology does
design flaw analysis take place? - ✔✔✔ Correct Answer > Vulnerability
and weakness analysis - Vulnerability & weakness analysis
happens in Step 6 (Analyze Vulnerabilities & Exploitability) of
PASTA, focusing on known security flaws and their potential
impact.
Which privacy impact statement requirement type defines who
has access to personal information within the product? - ✔✔✔
Correct Answer > Access requirements
Explanation:
Access requirements define who can access personal
information and under what conditions within a product.
WGU - D487 OA EXAM | {LATEST 2026/ 2027
UPDATE} COMPLETE ACTUAL AND AUTHENTIC
EXAM | BRAND NEW!
How does the DREAD model rank security risks? - ✔✔✔ Correct
Answer > Uses a scale from 0 to 10 for each factor
What is the primary difference between STRIDE and DREAD in
threat modeling? - ✔✔✔ Correct Answer > STRIDE identifies types of
threats, while DREAD ranks and prioritizes risks.
STRIDE = Threat categorization model
DREAD = Risk assessment model
STRIDE - ✔✔✔ Correct Answer > Spoofing (Impersonating
another user)
Tampering (Modifying data maliciously)
Repudiation (Denying actions taken)
Information disclosure (Leaking sensitive data)
Denial of Service (Disrupting service availability)
Elevation of Privilege (Gaining unauthorized access)
,Page 2 of 38
DREAD - ✔✔✔ Correct Answer > Damage Potential (How severe is
the impact?)
Reproducibility (How easily can the attack be repeated?)
Exploitability (How easy is it to exploit?)
Affected Users (How many people are impacted?)
Discoverability (How easy is it to find the vulnerability?)
Which model is best suited for threat classification vs. risk
assessment? - ✔✔✔ Correct Answer > STRIDE is best for classifying
threats, while DREAD is best for prioritizing them.
STRIDE = Helps identify and categorize threats.
DREAD = Helps rank threats based on impact.
Which mitigation technique can be used to fight against a data
tampering threat? - ✔✔✔ Correct Answer > Digital signatures = Digital
signatures ensure data integrity and authenticity by verifying that
the data has not been altered in transit. This prevents attackers
from tampering with data without detection.
What is a countermeasure to the web application security frame
(ASF) configuration management threat category? - ✔✔✔ Correct
Answer > Service accounts have no administration capabilities.
,Page 3 of 38
Which type of requirement specifies that user passwords will
require a minimum of 8 characters, must include one uppercase
letter, one number, and one special character? - ✔✔✔ Correct Answer
> Security requirement
Explanation:
A security requirement defines rules that enhance system
protection against unauthorized access and vulnerabilities.
Which type of requirement specifies that credit card numbers are
designated as highly sensitive confidential personal information?
- ✔✔✔ Correct Answer > Data classification requirement
Explanation:
A Data Classification Requirement categorizes information based
on its sensitivity, confidentiality, and handling requirements.
Credit card numbers are classified as highly sensitive data under
standards like PCI DSS, requiring encryption, limited access, and
protection mechanisms.
This classification ensures proper security measures are applied
to protect personal and financial information.
Which privacy impact statement requirement type defines how
personal information is protected on devic es used by more than
a single associate? - ✔✔✔ Correct Answer > Privacy control
requirements
, Page 4 of 38
Explanation:
Privacy control requirements focus on establishing rules and
safeguards to protect personal information when multiple users
share a device.
These controls include data encryption, anonymization, access
logs, and user permissions to prevent unauthorized access or
misuse of sensitive data.
They help ensure compliance with privacy regulations (e.g.,
GDPR, CCPA, HIPAA).
In which step of the PASTA threat modeling methodology does
design flaw analysis take place? - ✔✔✔ Correct Answer > Vulnerability
and weakness analysis - Vulnerability & weakness analysis
happens in Step 6 (Analyze Vulnerabilities & Exploitability) of
PASTA, focusing on known security flaws and their potential
impact.
Which privacy impact statement requirement type defines who
has access to personal information within the product? - ✔✔✔
Correct Answer > Access requirements
Explanation:
Access requirements define who can access personal
information and under what conditions within a product.
