2026
WGU C836 Fundamentals of Information
Security 2026: Comprehensive Exam
Preparation, Practice Questions, and
Concept Review Guide
Which cybersecurity term is defined as the potential for an attack on a resource?
A Impact
B Vulnerability
C Risk
D Threat
Correct Answer: D Threat
Rationale: A threat refers to any circumstance or event with the potential to cause harm by
exploiting a vulnerability. Impact describes the consequence of an attack, vulnerability is a
weakness that can be exploited, and risk is the likelihood and impact combined—not the
potential attacker itself.
Which security type deliberately exposes a system's vulnerabilities or resources to an attacker?
A Intrusion detection
B Firewalls
C Honeypots
D Intrusion prevention
Correct Answer: C Honeypots
Rationale: Honeypots are intentionally vulnerable systems designed to attract attackers for
monitoring and analysis. Intrusion detection and prevention monitor or block attacks, while
firewalls filter traffic rather than expose vulnerabilities.
Which tool can be used to map devices on a network, along with their operating system types
and versions?
A Packet sniffer
B Packet filter
,2026
C Port scanner
D Stateful firewall
Correct Answer: C Port scanner
Rationale: Port scanners identify open ports, services, and often operating systems on network
devices. Packet sniffers capture traffic, packet filters allow or block traffic, and stateful firewalls
track session states.
Which web attack is a server-side attack?
A Clickjacking
B Cross-site scripting
C SQL injection
D Cross-site request forgery
Correct Answer: C SQL injection
Rationale: SQL injection targets server-side databases by injecting malicious queries.
Clickjacking, XSS, and CSRF primarily exploit client-side or user-session behaviors.
An organization employs a VPN to safeguard its information.
Which security principle is protected by a VPN?
A Data in motion
B Data at rest
C Data in use
D Data in storage
Correct Answer: A Data in motion
Rationale: VPNs encrypt data while it is transmitted across networks. They do not primarily
protect stored data, actively processed data, or data at rest.
A malicious hacker was successful in a denial of service (DoS) attack against an institution's
mail server. Fortunately, no data was lost or altered while the server was offline.
Which type of attack is this?
A Modification
B Fabrication
C Interception
D Interruption
,2026
Correct Answer: D Interruption
Rationale: An interruption attack disrupts system availability without altering data. Modification
changes data, fabrication inserts false data, and interception involves unauthorized access.
A company has had several successful denial of service (DoS) attacks on its email server.
Which security principle is being attacked?
A Possession
B Integrity
C Confidentiality
D Availability
Correct Answer: D Availability
Rationale: DoS attacks aim to prevent authorized users from accessing services. Confidentiality,
integrity, and possession are not the primary targets in this scenario.
A new start-up company has started working on a social networking website. The company has
moved all its source code to a cloud provider and wants to protect this source code from
unauthorized access.
Which cyber defense concept should the start-up company use to maintain the confidentiality of
its source code?
A Alarm systems
B Account permissions
C Antivirus software
D File encryption
Correct Answer: D File encryption
Rationale: Encryption ensures that even if unauthorized access occurs, the data remains
unreadable. Account permissions help but do not protect data if access is bypassed.
A company has an annual audit of installed software and data storage systems. During the audit,
the auditor asks how the company's most critical data is used.
Which principle of the Parkerian hexad is the auditor addressing?
A Possession
B Integrity
C Authenticity
D Utility
, 2026
Correct Answer: D Utility
Rationale: Utility refers to the usefulness of data for its intended purpose. The other options
address ownership, accuracy, or authenticity, not usability.
Which web attack is possible due to a lack of input validation?
A Extraneous files
B Clickjacking
C SQL injection
D Cross-site request forgery
Correct Answer: C SQL injection
Rationale: SQL injection exploits improperly validated user input. Clickjacking and CSRF rely
on user interaction rather than input validation failures.
Which file action implements the principle of confidentiality from the CIA triad?
A Compression
B Hash
C Backup
D Encryption
Correct Answer: D Encryption
Rationale: Encryption prevents unauthorized disclosure of information. Hashing supports
integrity, backups support availability, and compression has no security function.
Which cyber defense concept suggests limiting permissions to only what is necessary to perform
a particular task?
A Authentication
B Authorization
C Defense in depth
D Principle of least privilege
Correct Answer: D Principle of least privilege
Rationale: This principle ensures users have only the minimum access required. Authentication
verifies identity, authorization grants access, and defense in depth layers controls.
WGU C836 Fundamentals of Information
Security 2026: Comprehensive Exam
Preparation, Practice Questions, and
Concept Review Guide
Which cybersecurity term is defined as the potential for an attack on a resource?
A Impact
B Vulnerability
C Risk
D Threat
Correct Answer: D Threat
Rationale: A threat refers to any circumstance or event with the potential to cause harm by
exploiting a vulnerability. Impact describes the consequence of an attack, vulnerability is a
weakness that can be exploited, and risk is the likelihood and impact combined—not the
potential attacker itself.
Which security type deliberately exposes a system's vulnerabilities or resources to an attacker?
A Intrusion detection
B Firewalls
C Honeypots
D Intrusion prevention
Correct Answer: C Honeypots
Rationale: Honeypots are intentionally vulnerable systems designed to attract attackers for
monitoring and analysis. Intrusion detection and prevention monitor or block attacks, while
firewalls filter traffic rather than expose vulnerabilities.
Which tool can be used to map devices on a network, along with their operating system types
and versions?
A Packet sniffer
B Packet filter
,2026
C Port scanner
D Stateful firewall
Correct Answer: C Port scanner
Rationale: Port scanners identify open ports, services, and often operating systems on network
devices. Packet sniffers capture traffic, packet filters allow or block traffic, and stateful firewalls
track session states.
Which web attack is a server-side attack?
A Clickjacking
B Cross-site scripting
C SQL injection
D Cross-site request forgery
Correct Answer: C SQL injection
Rationale: SQL injection targets server-side databases by injecting malicious queries.
Clickjacking, XSS, and CSRF primarily exploit client-side or user-session behaviors.
An organization employs a VPN to safeguard its information.
Which security principle is protected by a VPN?
A Data in motion
B Data at rest
C Data in use
D Data in storage
Correct Answer: A Data in motion
Rationale: VPNs encrypt data while it is transmitted across networks. They do not primarily
protect stored data, actively processed data, or data at rest.
A malicious hacker was successful in a denial of service (DoS) attack against an institution's
mail server. Fortunately, no data was lost or altered while the server was offline.
Which type of attack is this?
A Modification
B Fabrication
C Interception
D Interruption
,2026
Correct Answer: D Interruption
Rationale: An interruption attack disrupts system availability without altering data. Modification
changes data, fabrication inserts false data, and interception involves unauthorized access.
A company has had several successful denial of service (DoS) attacks on its email server.
Which security principle is being attacked?
A Possession
B Integrity
C Confidentiality
D Availability
Correct Answer: D Availability
Rationale: DoS attacks aim to prevent authorized users from accessing services. Confidentiality,
integrity, and possession are not the primary targets in this scenario.
A new start-up company has started working on a social networking website. The company has
moved all its source code to a cloud provider and wants to protect this source code from
unauthorized access.
Which cyber defense concept should the start-up company use to maintain the confidentiality of
its source code?
A Alarm systems
B Account permissions
C Antivirus software
D File encryption
Correct Answer: D File encryption
Rationale: Encryption ensures that even if unauthorized access occurs, the data remains
unreadable. Account permissions help but do not protect data if access is bypassed.
A company has an annual audit of installed software and data storage systems. During the audit,
the auditor asks how the company's most critical data is used.
Which principle of the Parkerian hexad is the auditor addressing?
A Possession
B Integrity
C Authenticity
D Utility
, 2026
Correct Answer: D Utility
Rationale: Utility refers to the usefulness of data for its intended purpose. The other options
address ownership, accuracy, or authenticity, not usability.
Which web attack is possible due to a lack of input validation?
A Extraneous files
B Clickjacking
C SQL injection
D Cross-site request forgery
Correct Answer: C SQL injection
Rationale: SQL injection exploits improperly validated user input. Clickjacking and CSRF rely
on user interaction rather than input validation failures.
Which file action implements the principle of confidentiality from the CIA triad?
A Compression
B Hash
C Backup
D Encryption
Correct Answer: D Encryption
Rationale: Encryption prevents unauthorized disclosure of information. Hashing supports
integrity, backups support availability, and compression has no security function.
Which cyber defense concept suggests limiting permissions to only what is necessary to perform
a particular task?
A Authentication
B Authorization
C Defense in depth
D Principle of least privilege
Correct Answer: D Principle of least privilege
Rationale: This principle ensures users have only the minimum access required. Authentication
verifies identity, authorization grants access, and defense in depth layers controls.
