Which of the following is the MOST important benefit of key risk indicators (KRIs)?

A. Assisting in continually optimizing risk governance
B. Providing an early warning to take proactive actions
C. Enabling the documentation and analysis of trends
D. Ensuring compliance with regulatory requirements

Which of the following is the BEST indicator of an effective IT security awareness program?

A. Decreased success rate of internal phishing tests
B. Number of employees that complete security training
C. Number of disciplinary actions issued for security violations
D. Decreased number of reported security incidents

Which of the following should be the PRIMARY focus of an IT risk awareness program?

A. Cultivate long-term behavioral change
B. Demonstrate regulatory compliance
C. Ensure compliance with the organization’s internal policies
D. Communicate IT risk policy to the participants

An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

A. Avoid
B. Transfer
C. Accept
D. Mitigate

A risk practitioner has populated the risk register with industry-based generic risk scenarios to be further assessed by risk owners. Which of the following is the GREATEST concern with this approach?

A. Risk scenarios in the generic list may not help in building risk awareness
B. Risk scenarios that are not relevant to the organization may be assessed
C. Developing complex risk scenarios using the generic list will be difficult
D. Relevant risk scenarios that do not appear in the generic list may not be assessed

Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

A. Develop risk awareness training
B. Monitor employee usage
C. Identify the potential risk
D. Assess the potential risk

An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:

A. organization’s risk function
B. service provider’s audit function
C. organization’s IT management
D. service provider’s IT security function

Which of the following BEST indicates the effectiveness of an organization’s data loss prevention (DLP) program?

A. Reduction in financial impact associated with data loss incidents
B. Reduction in the number of false positives and false negatives
C. Reduction in the number of approved exceptions to the DLP policy
D. Reduction in the severity of detected data loss events

What is the PRIMARY reason to categorize risk scenarios by business process?

A. To determine aggregated risk levels by risk owner
B. To identify situations that result in over-control
C. To enable management to implement cost-effective risk mitigation
D. To show business activity deficiencies that need to be improved

Which of the following is the BEST course of action to reduce risk impact?

A. Create an IT security policy
B. Implement detective controls
C. Implement corrective measures
D. Leverage existing technology