CSCI 4200 INFORMATION SECURITY
FINAL EXAM 2026/2027 Applied
Cybersecurity, Cryptography & Secure
Systems | 300 Verified Questions with
Detailed Explanations
This comprehensive 300-question study set is designed for students preparing for
the CSCI 4200 Information Security Final Examination. Each question includes the
correct answer (bolded) and a detailed Rationale based on industry standards,
cryptographic principles, security frameworks (NIST, ISO 27001), and common attack
vectors.
Important Note: This exam covers key areas including symmetric and asymmetric
cryptography, hash functions, digital signatures, PKI, network security (firewalls, IDS/IPS),
application security, operating system security, access control models, risk management,
and incident response .
DOMAIN 1: FOUNDATIONS OF INFORMATION SECURITY (40
Questions – 1 to 40)
1. The CIA triad in information security consists of:
A) Confidentiality, Integrity, Authorization
B) Confidentiality, Integrity, Authentication
C) Confidentiality, Integrity, Availability
D) Confidentiality, Inspection, Auditing
Rationale: The CIA triad is the foundational model of information security: Confidentiality
(preventing unauthorized disclosure), Integrity (preventing unauthorized modification),
and Availability (ensuring timely and reliable access).
2. Which of the following best describes "authenticity" in information security?
A) Ensuring data is available when needed
B) Verifying that a user, system, or data is genuine and not counterfeit
,C) Ensuring data is protected from unauthorized modification
D) Tracking user actions for accountability
Rationale: Authenticity (or authentication) verifies the identity of users, systems, or the
origin of data. It ensures that parties are who they claim to be.
3. "Non-repudiation" ensures that:
A) A user cannot deny their actions
B) A system remains available at all times
C) A user cannot deny having performed a specific action (e.g., sending a message)
D) Data remains confidential during transmission
Rationale: Non-repudiation provides proof of the origin or delivery of data, preventing the
sender or receiver from denying the transaction. Digital signatures are used to achieve
non-repudiation .
4. Which layer of the OSI model is most commonly associated with IPsec (Internet
Protocol Security)?
A) Application layer
B) Transport layer
C) Network layer
D) Data link layer
Rationale: IPsec operates at the network layer (Layer 3) of the OSI model, providing
encryption and authentication for IP packets .
5. Which of the following is an example of two-factor authentication (2FA)?
A) Username + password
B) Password + hardware token (e.g., smart card, YubiKey)
C) Fingerprint scan only
D) Retina scan only
*Rationale: 2FA requires two of three factors: something you know (password),
something you have (token), or something you are (biometric). Password + token
qualifies as 2FA.*
6. What is "shoulder surfing"?
A) A type of network attack
B) Observing someone's keystrokes or screen over their shoulder to capture
sensitive information
C) A physical security breach through an open window
D) A method of bypassing firewalls
Rationale: Shoulder surfing is a social engineering attack where an attacker physically
observes a user entering credentials or other sensitive information.
,7. Which of the following is the primary purpose of a security policy?
A) To increase system performance
B) To define the organization's security requirements, responsibilities, and
acceptable practices
C) To replace technical security controls
D) To eliminate all security risks
Rationale: A security policy provides high-level direction and establishes the framework for
security controls, defining what must be protected and how.
8. The principle of "least privilege" states that:
A) Users should have full access to all resources
B) Users should have access only to resources they need for their job duties, and
nothing more
C) Users and processes should be granted the minimum necessary access rights to
perform their functions
D) Only system administrators need access controls
Rationale: Least privilege limits the potential damage from accidents, errors, or
unauthorized use by restricting access to only what is necessary.
9. Which of the following is a "something you are" authentication factor?
A) Password
B) Smart card
C) Fingerprint scan
D) PIN number
Rationale: Biometrics (fingerprint, iris scan, voice recognition) are "something you are"
factors. Passwords and PINs are "something you know." Smart cards are "something you
have."
10. What is the primary goal of "defense in depth"?
A) To use a single, powerful security control
B) To layer multiple security controls so that if one fails, others remain
C) To eliminate all security controls
D) To focus only on perimeter security
Rationale: Defense in depth uses overlapping layers of security (physical, technical,
administrative) to provide redundancy in protection.
11. Which of the following is NOT a component of the Parkerian Hexad?
A) Confidentiality
B) Integrity
C) Availability
D) Anonymity
, Rationale: The Parkerian Hexad expands the CIA triad by adding Possession/Control,
Authenticity, and Utility. Anonymity is not a core security principle .
12. What does "AAA" stand for in security?
A) Authentication, Authorization, Accountability
B) Access, Audit, Authentication
C) Authentication, Authorization, Accounting
D) Access, Authorization, Auditing
Rationale: AAA refers to Authentication (verifying identity), Authorization (granting
permissions), and Accounting (logging/tracking activities).
13. "Possession or control" as an additional security goal means:
A) The data is correct and unaltered
B) The legitimate owner maintains control over the data (i.e., it has not been
stolen)
C) The data is available 24/7
D) The data is encrypted
Rationale: Possession/control refers to physical or logical control of data. A breach of
possession occurs when data is stolen, even if confidentiality is maintained (e.g., encrypted
data taken).
14. "Utility" in the Parkerian Hexad refers to:
A) The data is useful to the attacker
B The data is in a usable format for its intended purpose
C) The data is encrypted
D) The data is backed up
Rationale: Utility means the data is useful to its intended purpose. An encrypted file has
lost utility without the decryption key.
15. A "zero-day vulnerability" is a vulnerability that:
A) Has been patched by the vendor
B Is unknown to the vendor and has no available patch
C) Only affects day-old systems
D) Is always a configuration error
Rationale: Zero-day vulnerabilities are unknown to the software vendor and therefore
have no patch available at the time of discovery.
16. The "attack surface" of a system includes:
A) Only network ports
B) Only user interfaces
C All possible points where an attacker can enter or extract data from the system
FINAL EXAM 2026/2027 Applied
Cybersecurity, Cryptography & Secure
Systems | 300 Verified Questions with
Detailed Explanations
This comprehensive 300-question study set is designed for students preparing for
the CSCI 4200 Information Security Final Examination. Each question includes the
correct answer (bolded) and a detailed Rationale based on industry standards,
cryptographic principles, security frameworks (NIST, ISO 27001), and common attack
vectors.
Important Note: This exam covers key areas including symmetric and asymmetric
cryptography, hash functions, digital signatures, PKI, network security (firewalls, IDS/IPS),
application security, operating system security, access control models, risk management,
and incident response .
DOMAIN 1: FOUNDATIONS OF INFORMATION SECURITY (40
Questions – 1 to 40)
1. The CIA triad in information security consists of:
A) Confidentiality, Integrity, Authorization
B) Confidentiality, Integrity, Authentication
C) Confidentiality, Integrity, Availability
D) Confidentiality, Inspection, Auditing
Rationale: The CIA triad is the foundational model of information security: Confidentiality
(preventing unauthorized disclosure), Integrity (preventing unauthorized modification),
and Availability (ensuring timely and reliable access).
2. Which of the following best describes "authenticity" in information security?
A) Ensuring data is available when needed
B) Verifying that a user, system, or data is genuine and not counterfeit
,C) Ensuring data is protected from unauthorized modification
D) Tracking user actions for accountability
Rationale: Authenticity (or authentication) verifies the identity of users, systems, or the
origin of data. It ensures that parties are who they claim to be.
3. "Non-repudiation" ensures that:
A) A user cannot deny their actions
B) A system remains available at all times
C) A user cannot deny having performed a specific action (e.g., sending a message)
D) Data remains confidential during transmission
Rationale: Non-repudiation provides proof of the origin or delivery of data, preventing the
sender or receiver from denying the transaction. Digital signatures are used to achieve
non-repudiation .
4. Which layer of the OSI model is most commonly associated with IPsec (Internet
Protocol Security)?
A) Application layer
B) Transport layer
C) Network layer
D) Data link layer
Rationale: IPsec operates at the network layer (Layer 3) of the OSI model, providing
encryption and authentication for IP packets .
5. Which of the following is an example of two-factor authentication (2FA)?
A) Username + password
B) Password + hardware token (e.g., smart card, YubiKey)
C) Fingerprint scan only
D) Retina scan only
*Rationale: 2FA requires two of three factors: something you know (password),
something you have (token), or something you are (biometric). Password + token
qualifies as 2FA.*
6. What is "shoulder surfing"?
A) A type of network attack
B) Observing someone's keystrokes or screen over their shoulder to capture
sensitive information
C) A physical security breach through an open window
D) A method of bypassing firewalls
Rationale: Shoulder surfing is a social engineering attack where an attacker physically
observes a user entering credentials or other sensitive information.
,7. Which of the following is the primary purpose of a security policy?
A) To increase system performance
B) To define the organization's security requirements, responsibilities, and
acceptable practices
C) To replace technical security controls
D) To eliminate all security risks
Rationale: A security policy provides high-level direction and establishes the framework for
security controls, defining what must be protected and how.
8. The principle of "least privilege" states that:
A) Users should have full access to all resources
B) Users should have access only to resources they need for their job duties, and
nothing more
C) Users and processes should be granted the minimum necessary access rights to
perform their functions
D) Only system administrators need access controls
Rationale: Least privilege limits the potential damage from accidents, errors, or
unauthorized use by restricting access to only what is necessary.
9. Which of the following is a "something you are" authentication factor?
A) Password
B) Smart card
C) Fingerprint scan
D) PIN number
Rationale: Biometrics (fingerprint, iris scan, voice recognition) are "something you are"
factors. Passwords and PINs are "something you know." Smart cards are "something you
have."
10. What is the primary goal of "defense in depth"?
A) To use a single, powerful security control
B) To layer multiple security controls so that if one fails, others remain
C) To eliminate all security controls
D) To focus only on perimeter security
Rationale: Defense in depth uses overlapping layers of security (physical, technical,
administrative) to provide redundancy in protection.
11. Which of the following is NOT a component of the Parkerian Hexad?
A) Confidentiality
B) Integrity
C) Availability
D) Anonymity
, Rationale: The Parkerian Hexad expands the CIA triad by adding Possession/Control,
Authenticity, and Utility. Anonymity is not a core security principle .
12. What does "AAA" stand for in security?
A) Authentication, Authorization, Accountability
B) Access, Audit, Authentication
C) Authentication, Authorization, Accounting
D) Access, Authorization, Auditing
Rationale: AAA refers to Authentication (verifying identity), Authorization (granting
permissions), and Accounting (logging/tracking activities).
13. "Possession or control" as an additional security goal means:
A) The data is correct and unaltered
B) The legitimate owner maintains control over the data (i.e., it has not been
stolen)
C) The data is available 24/7
D) The data is encrypted
Rationale: Possession/control refers to physical or logical control of data. A breach of
possession occurs when data is stolen, even if confidentiality is maintained (e.g., encrypted
data taken).
14. "Utility" in the Parkerian Hexad refers to:
A) The data is useful to the attacker
B The data is in a usable format for its intended purpose
C) The data is encrypted
D) The data is backed up
Rationale: Utility means the data is useful to its intended purpose. An encrypted file has
lost utility without the decryption key.
15. A "zero-day vulnerability" is a vulnerability that:
A) Has been patched by the vendor
B Is unknown to the vendor and has no available patch
C) Only affects day-old systems
D) Is always a configuration error
Rationale: Zero-day vulnerabilities are unknown to the software vendor and therefore
have no patch available at the time of discovery.
16. The "attack surface" of a system includes:
A) Only network ports
B) Only user interfaces
C All possible points where an attacker can enter or extract data from the system
