2026
Fundamentals of Information Security
(WGU C836) 2026: Detailed Study Guide
with Practice Exams, Quizzes, and
Security Principles Review
The Fabrication attack type most commonly affects which principle(s) of the CIA triad?
A. Availability
B. Integrity
C. Confidentiality
D. Integrity and Availability
E. Confidentiality and Integrity
Correct Answer: D. Integrity and Availability
Rationale: Fabrication attacks involve creating false data or transactions, which compromises
data integrity. They may also affect availability if fabricated data disrupts normal system
operations. Confidentiality is not the primary target.
The Interception attack type most commonly affects which principle(s) of the CIA triad?
A. Integrity and Availability
B. Confidentiality and Integrity
C. Availability
D. Integrity
E. Confidentiality
Correct Answer: E. Confidentiality
Rationale: Interception attacks involve unauthorized access to data, such as eavesdropping or
sniffing traffic. This directly compromises confidentiality, not integrity or availability.
Something that has the potential to cause harm to our assets is known as a(n) ________.
A. Threat
B. Impact
,2026
C. Risk
D. Vulnerability
Correct Answer: A. Threat
Rationale: A threat is any circumstance or event that could cause harm. Impact is the result of an
event, risk is the likelihood of harm, and a vulnerability is a weakness that may be exploited.
Controls that protect the systems, networks, and environments that process, transmit, and store
our data are called _______.
A. Logical controls
B. Administrative controls
C. Physical controls
Correct Answer: A. Logical controls
Rationale: Logical (technical) controls include firewalls, authentication systems, and encryption.
Administrative controls involve policies and procedures, while physical controls protect facilities
and hardware.
What is the first and arguably one of the most important steps of the risk management process?
A. Assess risks
B. Mitigate risks
C. Identify threats
D. Assess vulnerabilities
E. Identify assets
Correct Answer: E. Identify assets
Rationale: Risk management begins with identifying what needs protection. Without knowing
the assets, it is impossible to accurately assess threats, vulnerabilities, or risks.
Protects information and information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction.
A. Cybersecurity
B. Information security
C. Network security
D. Operational security
,2026
Correct Answer: B. Information security
Rationale: Information security is defined by protecting information and systems from
unauthorized actions. The other options represent subsets or related disciplines.
Which type of attack primarily targets confidentiality?
A. Modification
B. Fabrication
C. Interception
D. Interruption
Correct Answer: C. Interception
Rationale: Interception involves unauthorized access to information, such as wiretapping or
packet sniffing, directly violating confidentiality.
Something that has the potential to cause harm to our assets is best defined as:
A. Threat
B. Risk
C. Vulnerability
D. Impact
Correct Answer: A. Threat
Rationale: A threat represents a possible source of harm. Risk considers probability, and
vulnerability is a weakness that may be exploited.
A weakness that can be used to harm us is known as a:
A. Threat
B. Risk
C. Vulnerability
D. Impact
Correct Answer: C. Vulnerability
Rationale: Vulnerabilities are weaknesses that threats can exploit. Threats are potential attackers
or events, and risk reflects likelihood.
The likelihood that something bad will happen is referred to as:
, 2026
A. Threat
B. Vulnerability
C. Risk
D. Impact
Correct Answer: C. Risk
Rationale: Risk combines the probability of an event with its potential impact. The other options
describe different components of risk.
An attack that involves tampering with our assets is known as a:
A. Interception attack
B. Modification attack
C. Fabrication attack
D. Interruption attack
Correct Answer: B. Modification attack
Rationale: Modification attacks alter data or systems. Interception accesses data, fabrication
creates false data, and interruption disrupts availability.
Which model adds possession or control, utility, and authenticity to the CIA triad?
A. Bell-LaPadula model
B. Biba model
C. Parkerian hexad
D. Brewer and Nash model
Correct Answer: C. Parkerian hexad
Rationale: The Parkerian hexad expands the CIA triad by adding possession/control, utility, and
authenticity.
The physical disposition of the media on which data is stored refers to:
A. Confidentiality
B. Integrity
C. Possession or control
D. Utility
Fundamentals of Information Security
(WGU C836) 2026: Detailed Study Guide
with Practice Exams, Quizzes, and
Security Principles Review
The Fabrication attack type most commonly affects which principle(s) of the CIA triad?
A. Availability
B. Integrity
C. Confidentiality
D. Integrity and Availability
E. Confidentiality and Integrity
Correct Answer: D. Integrity and Availability
Rationale: Fabrication attacks involve creating false data or transactions, which compromises
data integrity. They may also affect availability if fabricated data disrupts normal system
operations. Confidentiality is not the primary target.
The Interception attack type most commonly affects which principle(s) of the CIA triad?
A. Integrity and Availability
B. Confidentiality and Integrity
C. Availability
D. Integrity
E. Confidentiality
Correct Answer: E. Confidentiality
Rationale: Interception attacks involve unauthorized access to data, such as eavesdropping or
sniffing traffic. This directly compromises confidentiality, not integrity or availability.
Something that has the potential to cause harm to our assets is known as a(n) ________.
A. Threat
B. Impact
,2026
C. Risk
D. Vulnerability
Correct Answer: A. Threat
Rationale: A threat is any circumstance or event that could cause harm. Impact is the result of an
event, risk is the likelihood of harm, and a vulnerability is a weakness that may be exploited.
Controls that protect the systems, networks, and environments that process, transmit, and store
our data are called _______.
A. Logical controls
B. Administrative controls
C. Physical controls
Correct Answer: A. Logical controls
Rationale: Logical (technical) controls include firewalls, authentication systems, and encryption.
Administrative controls involve policies and procedures, while physical controls protect facilities
and hardware.
What is the first and arguably one of the most important steps of the risk management process?
A. Assess risks
B. Mitigate risks
C. Identify threats
D. Assess vulnerabilities
E. Identify assets
Correct Answer: E. Identify assets
Rationale: Risk management begins with identifying what needs protection. Without knowing
the assets, it is impossible to accurately assess threats, vulnerabilities, or risks.
Protects information and information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction.
A. Cybersecurity
B. Information security
C. Network security
D. Operational security
,2026
Correct Answer: B. Information security
Rationale: Information security is defined by protecting information and systems from
unauthorized actions. The other options represent subsets or related disciplines.
Which type of attack primarily targets confidentiality?
A. Modification
B. Fabrication
C. Interception
D. Interruption
Correct Answer: C. Interception
Rationale: Interception involves unauthorized access to information, such as wiretapping or
packet sniffing, directly violating confidentiality.
Something that has the potential to cause harm to our assets is best defined as:
A. Threat
B. Risk
C. Vulnerability
D. Impact
Correct Answer: A. Threat
Rationale: A threat represents a possible source of harm. Risk considers probability, and
vulnerability is a weakness that may be exploited.
A weakness that can be used to harm us is known as a:
A. Threat
B. Risk
C. Vulnerability
D. Impact
Correct Answer: C. Vulnerability
Rationale: Vulnerabilities are weaknesses that threats can exploit. Threats are potential attackers
or events, and risk reflects likelihood.
The likelihood that something bad will happen is referred to as:
, 2026
A. Threat
B. Vulnerability
C. Risk
D. Impact
Correct Answer: C. Risk
Rationale: Risk combines the probability of an event with its potential impact. The other options
describe different components of risk.
An attack that involves tampering with our assets is known as a:
A. Interception attack
B. Modification attack
C. Fabrication attack
D. Interruption attack
Correct Answer: B. Modification attack
Rationale: Modification attacks alter data or systems. Interception accesses data, fabrication
creates false data, and interruption disrupts availability.
Which model adds possession or control, utility, and authenticity to the CIA triad?
A. Bell-LaPadula model
B. Biba model
C. Parkerian hexad
D. Brewer and Nash model
Correct Answer: C. Parkerian hexad
Rationale: The Parkerian hexad expands the CIA triad by adding possession/control, utility, and
authenticity.
The physical disposition of the media on which data is stored refers to:
A. Confidentiality
B. Integrity
C. Possession or control
D. Utility
