Chapter 112 · Quiz

Risk Management Strategies — Quiz

Ten questions covering risk transfer through insurance, risk acceptance, exemptions vs. exceptions, risk avoidance, risk mitigation, and risk reporting to senior leadership.

1. A company purchases a cybersecurity insurance policy that covers ransomware recovery costs, legal expenses, and breach notification fees. After a ransomware attack encrypted their servers, the insurer paid out $800,000. Which risk management strategy did the organization use, and what did it NOT accomplish?
2. A manufacturing company purchases a specialized industrial robot that runs Windows 7. The equipment vendor states they do not support any OS patches or updates and that applying patches will void the warranty and potentially damage the equipment. The company's security policy requires monthly OS patches on all Windows systems. What is the appropriate risk management response?
3. A company's security policy requires that all OS patches be applied within 72 hours of release. This month's Windows update causes the company's critical ERP system to crash. The vendor has acknowledged the incompatibility and is working on a fix expected in two weeks. What is the appropriate risk management response?
4. After analyzing their public-facing web application, a security team determines it has too many unresolvable vulnerabilities and poses unacceptable risk. Management decides to shut down the web application entirely and redirect customers to a partner's platform. Which risk management strategy does this represent?
5. A security team is concerned about internet-facing attack risk. They install a next-generation firewall with application inspection, implement multi-factor authentication on all remote access, and segment the network to limit lateral movement. Which risk management strategy do these actions collectively represent?
6. A CISO prepares a quarterly security risk report for the board of directors. The report includes identified risks with business impact descriptions, likelihood ratings, current mitigation status, and highlights two newly discovered attack vectors the organization has not yet addressed. What purpose do these newly discovered risks serve in the report, and who is the intended decision-maker?
Matching: Risk Management Strategies

Match each strategy (1–4) to its correct description (A–D).

1Risk Transfer
2Risk Avoidance
3Risk Mitigation
4Risk Acceptance
AA deliberate, documented business decision to tolerate a risk without implementing additional controls because the cost of mitigation exceeds the potential damage or the risk falls within the stated risk appetite
BCompletely eliminates a risk by stopping participation in the activity that creates it; the only strategy that fully removes the risk rather than reducing or shifting it
CShifts financial responsibility for a risk to another party through mechanisms such as cybersecurity insurance or outsourcing; does not eliminate the underlying threat
DReduces the likelihood or impact of a threat through security controls such as firewalls, MFA, encryption, and patching; does not eliminate the risk but lowers it to an acceptable level