WGU D320 Exam (JYO2) – 2025/2026 Version: Exam Verified
Questions, Correct Answers, and Detailed Rationales
Question 1
Which of the following BEST describes a Business Impact Analysis (BIA)?
A) A process that assesses and identifies the potential effects of disruptions to a business
operation.
B) A process that uses specific numerical values to assess risk.
C) A component that, if it fails, will cause the entire system to fail.
D) The level of risk that an organization finds acceptable.
Correct Answer: A) A process that assesses and identifies the potential effects of disruptions
to a business operation.
Rationale: This is the exact definition provided for a BIA. Its purpose is to understand the
consequences of a disruption to specific business functions to inform recovery strategies.
Question 2
In a network, the primary internet router fails, causing the entire office to lose connectivity. This
router is an example of a(n):
A) Residual risk
B) Single Point of Failure (SPOF)
C) Quantitative risk
D) Business Impact Analysis (BIA)
Correct Answer: B) Single Point of Failure (SPOF)
Rationale: The text defines a SPOF as "A component or system that, if it fails, will cause
the entire system to fail." The internet router fits this description perfectly.
Question 3
A risk assessment that assigns a dollar value of $50,000 to a potential data breach is an example
of what type of assessment?
A) Qualitative
B) Residual
C) Quantitative
D) Appetite-based
Correct Answer: C) Quantitative
,Rationale: A quantitative assessment "uses specific numerical values." Assigning a
monetary value like $50,000 is a key characteristic of this approach.
Question 4
A security manager describes the risk of a server failure as "high" and its impact as "medium."
This is an example of what type of risk assessment?
A) Quantitative
B) Numerical
C) Financial
D) Qualitative
Correct Answer: D) Qualitative
Rationale: A qualitative assessment "uses non-numerical categories that are relative in
nature, such as high, medium, and low."
Question 5
A company decides it is willing to lose up to 4 hours of data in the event of a disaster and can
tolerate a maximum of 24 hours of downtime. These decisions are a reflection of the company's:
A) Residual risk
B) Vendor lock-in
C) Risk appetite
D) Defense in depth
Correct Answer: C) Risk appetite
Rationale: The text defines risk appetite as the "level, amount, or type of risk that the
organization finds acceptable." RPO (4 hours) and RTO (24 hours) are direct expressions
of this.
Question 6
After implementing a new firewall and antivirus software, a company determines that there is
still a small chance of a malware infection. This remaining risk is known as:
A) Inherent risk
B) Residual risk
C) Accepted risk
D) Transferred risk
, Correct Answer: B) Residual risk
Rationale: The definition provided is "The remaining risk that exists after
countermeasures have been applied."
Question 7
A company purchases cybersecurity insurance to cover the financial losses of a potential data
breach. Which risk management strategy is being used?
A) Avoidance
B) Mitigation
C) Transference
D) Acceptance
Correct Answer: C) Transference
Rationale: Transference is a strategy that "involves transferring or sharing the
responsibility for managing risks with another party, such as an insurance provider."
Question 8
Which of the following represents a potential emergent concern during a Business Impact
Analysis (BIA)?
A) The cost of existing security controls.
B) The identification of new dependencies on a third-party service.
C) The historical frequency of power outages.
D) The current inventory of company assets.
Correct Answer: B) The identification of new dependencies on a third-party service.
Rationale: A BIA can uncover previously unknown or unevaluated dependencies. The text
lists "New dependencies" as a potential emergent BIA concern.
Question 9
The maximum acceptable amount of data loss an organization is willing to tolerate is defined by
its:
A) Recovery Time Objective (RTO)
B) Recovery Point Objective (RPO)
C) Service Level Agreement (SLA)
D) Business Impact Analysis (BIA)
Questions, Correct Answers, and Detailed Rationales
Question 1
Which of the following BEST describes a Business Impact Analysis (BIA)?
A) A process that assesses and identifies the potential effects of disruptions to a business
operation.
B) A process that uses specific numerical values to assess risk.
C) A component that, if it fails, will cause the entire system to fail.
D) The level of risk that an organization finds acceptable.
Correct Answer: A) A process that assesses and identifies the potential effects of disruptions
to a business operation.
Rationale: This is the exact definition provided for a BIA. Its purpose is to understand the
consequences of a disruption to specific business functions to inform recovery strategies.
Question 2
In a network, the primary internet router fails, causing the entire office to lose connectivity. This
router is an example of a(n):
A) Residual risk
B) Single Point of Failure (SPOF)
C) Quantitative risk
D) Business Impact Analysis (BIA)
Correct Answer: B) Single Point of Failure (SPOF)
Rationale: The text defines a SPOF as "A component or system that, if it fails, will cause
the entire system to fail." The internet router fits this description perfectly.
Question 3
A risk assessment that assigns a dollar value of $50,000 to a potential data breach is an example
of what type of assessment?
A) Qualitative
B) Residual
C) Quantitative
D) Appetite-based
Correct Answer: C) Quantitative
,Rationale: A quantitative assessment "uses specific numerical values." Assigning a
monetary value like $50,000 is a key characteristic of this approach.
Question 4
A security manager describes the risk of a server failure as "high" and its impact as "medium."
This is an example of what type of risk assessment?
A) Quantitative
B) Numerical
C) Financial
D) Qualitative
Correct Answer: D) Qualitative
Rationale: A qualitative assessment "uses non-numerical categories that are relative in
nature, such as high, medium, and low."
Question 5
A company decides it is willing to lose up to 4 hours of data in the event of a disaster and can
tolerate a maximum of 24 hours of downtime. These decisions are a reflection of the company's:
A) Residual risk
B) Vendor lock-in
C) Risk appetite
D) Defense in depth
Correct Answer: C) Risk appetite
Rationale: The text defines risk appetite as the "level, amount, or type of risk that the
organization finds acceptable." RPO (4 hours) and RTO (24 hours) are direct expressions
of this.
Question 6
After implementing a new firewall and antivirus software, a company determines that there is
still a small chance of a malware infection. This remaining risk is known as:
A) Inherent risk
B) Residual risk
C) Accepted risk
D) Transferred risk
, Correct Answer: B) Residual risk
Rationale: The definition provided is "The remaining risk that exists after
countermeasures have been applied."
Question 7
A company purchases cybersecurity insurance to cover the financial losses of a potential data
breach. Which risk management strategy is being used?
A) Avoidance
B) Mitigation
C) Transference
D) Acceptance
Correct Answer: C) Transference
Rationale: Transference is a strategy that "involves transferring or sharing the
responsibility for managing risks with another party, such as an insurance provider."
Question 8
Which of the following represents a potential emergent concern during a Business Impact
Analysis (BIA)?
A) The cost of existing security controls.
B) The identification of new dependencies on a third-party service.
C) The historical frequency of power outages.
D) The current inventory of company assets.
Correct Answer: B) The identification of new dependencies on a third-party service.
Rationale: A BIA can uncover previously unknown or unevaluated dependencies. The text
lists "New dependencies" as a potential emergent BIA concern.
Question 9
The maximum acceptable amount of data loss an organization is willing to tolerate is defined by
its:
A) Recovery Time Objective (RTO)
B) Recovery Point Objective (RPO)
C) Service Level Agreement (SLA)
D) Business Impact Analysis (BIA)
