Misy 5325 Midterm Actual Exam
MISY 5325 MIDTERM ACTUAL EXAM NEWEST 2025/2026
COMPLETE QUESTIONS AND CORRECT DETAILED ANSWERS
(VERIFIED ANSWERS) |BRAND NEW VERSION!!
The formulas used in a quantitative risk assessment typically look at a single year.
The calculations can become quite complex if other costs are included. Which of
the following is not usually included in the calculations?
A. Annualized Rate of Occurrence (ARO)
B. Single Loss Expectancy (SLE)
C. Annualized Loss Expectancy (ALE)
D. Cost to maintain a control
The cost to maintain a control
In a risk assessment, which of the following refers to how responsibilities are
assigned?
a. Operational characteristics
b. Management operations
c. Configuration management
d. Management structure
Management structure
Which of the following is not true of data and information assets?
a. Access controls protect data from unauthorized disclosure.
b. Backups protect data when it becomes corrupted or accidentally deleted.
c. Data classified at different levels, such as public and private, receives the same
levels of protection.
d. Many organizations don't recognize the value of their data until it is lost.
1|Page
, Misy 5325 Midterm Actual Exam
Data classified at different levels, such as public and private, receives the same
levels of protection.
_________ are acts that are hostile to an organization.
A) Intentional threats
B) Unintentional threats
C) Human threats
D) All threats
Intentional threats
Which of the following is often the weakest link in IT security?
A. physical security
B. people
C. use of pass-phrases
D. use of computer firewalls
People
A new company does not have a lot of revenue for the first year. Installing
antivirus software for all the company's computers would be very costly, so the
owners decide to forgo purchasing antivirus software for the first year of the
business. In what domain of a typical IT infrastructure is a vulnerability created?
A) workstation domain
B) malware domain
C) LAN domain
D) WAN domain
Workstation Domain
Companies use risk assessment strategies to differentiate ___________ from
_________.
A) vulnerabilities, weaknesses
B) vulnerabilities, threats
2|Page
, Misy 5325 Midterm Actual Exam
C) risks, threats
D) severe risks, minor risks
Severe risks, minor risks
What is the primary reason security professionals automate some processes?
A) To create security policies
B) To enforce the principle of least privilege
C) To enforce the principle of need to know
D) To reduce human error
To reduce human error
Which of the following is not a risk management step?
A. eliminating all risks
B. identifying risks
C. taking steps to reduce risk to an accepted level
D. assessing risks
Eliminating all risks
What are the elements of the security triad?
A.cooperation, installation, and acquisition
b. confidence, intelligence, and assessment
C. coordination, implementation, and authorization
D. confidentiality, integrity, and availability
Confidentiality, integrity, and availability
Another term for risk mitigation is:
A) risk reduction.
B) risk assessment.
C) risk management.
D) risk evaluation.
Risk reduction
3|Page
, Misy 5325 Midterm Actual Exam
What can you control about threat/vulnerability pairs?
A) the vulnerability
b) the threat
c) the loss
d) the cost
The vulnerability only
Isabella works as a risk specialist for her company. She wants to determine which
risks should be managed and which should not by applying a test to each risk.
Risks that don't meet the test are accepted. What type of test does she apply?
A.Cost assessment
B.reasonableness test
C.control test
D.vulnerability test
Reasonableness test
Which of the following is a division of the U.S. Department of Commerce and
publishes the Risk Management Framework (RMF) 800 special publications series?
A. Department of Homeland security (DHS)
B. MITRE corporation
C. National Institute of standards and technology (NIST)
D. United States computer emergency readiness team (US-CERT)
National Institute of Standards and Technology (NIST)
Rodrigo is a network security specialist. He wants to perform real-time analysis of
security data gathered from networked systems. Which of the following is the best
solution for Rodrigo to implement?
A. Intrusion prevention system (IPS)
B. vulnerability scanning
C. security information and event management (SIEM)
D. configuration management
4|Page
MISY 5325 MIDTERM ACTUAL EXAM NEWEST 2025/2026
COMPLETE QUESTIONS AND CORRECT DETAILED ANSWERS
(VERIFIED ANSWERS) |BRAND NEW VERSION!!
The formulas used in a quantitative risk assessment typically look at a single year.
The calculations can become quite complex if other costs are included. Which of
the following is not usually included in the calculations?
A. Annualized Rate of Occurrence (ARO)
B. Single Loss Expectancy (SLE)
C. Annualized Loss Expectancy (ALE)
D. Cost to maintain a control
The cost to maintain a control
In a risk assessment, which of the following refers to how responsibilities are
assigned?
a. Operational characteristics
b. Management operations
c. Configuration management
d. Management structure
Management structure
Which of the following is not true of data and information assets?
a. Access controls protect data from unauthorized disclosure.
b. Backups protect data when it becomes corrupted or accidentally deleted.
c. Data classified at different levels, such as public and private, receives the same
levels of protection.
d. Many organizations don't recognize the value of their data until it is lost.
1|Page
, Misy 5325 Midterm Actual Exam
Data classified at different levels, such as public and private, receives the same
levels of protection.
_________ are acts that are hostile to an organization.
A) Intentional threats
B) Unintentional threats
C) Human threats
D) All threats
Intentional threats
Which of the following is often the weakest link in IT security?
A. physical security
B. people
C. use of pass-phrases
D. use of computer firewalls
People
A new company does not have a lot of revenue for the first year. Installing
antivirus software for all the company's computers would be very costly, so the
owners decide to forgo purchasing antivirus software for the first year of the
business. In what domain of a typical IT infrastructure is a vulnerability created?
A) workstation domain
B) malware domain
C) LAN domain
D) WAN domain
Workstation Domain
Companies use risk assessment strategies to differentiate ___________ from
_________.
A) vulnerabilities, weaknesses
B) vulnerabilities, threats
2|Page
, Misy 5325 Midterm Actual Exam
C) risks, threats
D) severe risks, minor risks
Severe risks, minor risks
What is the primary reason security professionals automate some processes?
A) To create security policies
B) To enforce the principle of least privilege
C) To enforce the principle of need to know
D) To reduce human error
To reduce human error
Which of the following is not a risk management step?
A. eliminating all risks
B. identifying risks
C. taking steps to reduce risk to an accepted level
D. assessing risks
Eliminating all risks
What are the elements of the security triad?
A.cooperation, installation, and acquisition
b. confidence, intelligence, and assessment
C. coordination, implementation, and authorization
D. confidentiality, integrity, and availability
Confidentiality, integrity, and availability
Another term for risk mitigation is:
A) risk reduction.
B) risk assessment.
C) risk management.
D) risk evaluation.
Risk reduction
3|Page
, Misy 5325 Midterm Actual Exam
What can you control about threat/vulnerability pairs?
A) the vulnerability
b) the threat
c) the loss
d) the cost
The vulnerability only
Isabella works as a risk specialist for her company. She wants to determine which
risks should be managed and which should not by applying a test to each risk.
Risks that don't meet the test are accepted. What type of test does she apply?
A.Cost assessment
B.reasonableness test
C.control test
D.vulnerability test
Reasonableness test
Which of the following is a division of the U.S. Department of Commerce and
publishes the Risk Management Framework (RMF) 800 special publications series?
A. Department of Homeland security (DHS)
B. MITRE corporation
C. National Institute of standards and technology (NIST)
D. United States computer emergency readiness team (US-CERT)
National Institute of Standards and Technology (NIST)
Rodrigo is a network security specialist. He wants to perform real-time analysis of
security data gathered from networked systems. Which of the following is the best
solution for Rodrigo to implement?
A. Intrusion prevention system (IPS)
B. vulnerability scanning
C. security information and event management (SIEM)
D. configuration management
4|Page
