Information Technology For Management Digital Strategies For Insight Action and Sustainable Performance 10th Edition Turban Test Bank 1

INFORMATION TECHNOLOGY FOR
MANAGEMENT DIGITAL STRATEGIES FOR

INSIGHT ACTION AND SUSTAINABLE
PERFORMANCE 10TH EDITION TURBAN
SOLUTIONS MANUAL
Full download at link:
Test bank: https://testbankpack.com/p/test-bank-for-information-

technology-for-management-digital-strategies-for-insight-action-and-
sustainable-performance-10th-edition-turban-pollard-and-wood-
1118897781-9781118897782/
Solution Manual: https://testbankpack.com/p/solution-manual-for-

information-technology-for-management-digital-strategies-for-insight-
action-and-sustainable-performance-10th-edition-turban-pollard-and-
wood-1118897781-9781118897782/
Chapter 5: CyberSecurity and Risk Management
Test Bank
Multiple Choice
1. The discount retailer Target suffered a hacker attack during the fourth quarter of 2013
(4Q2013) that exposed customer account information. Which of the following was not an
impact of Target’s hacker attack and data breach?
a. 4Q 2013 profit dropped 46% and sales revenue fell 5.3 % after breach was
disclosed.
b. Gartner estimated the cost of the breach from $400 million to $450 million
c. Target faced 2 lawsuits—one related to privacy invasion and one for negligence.
1
d. The incident scared shoppers away, affecting the company’s profits throughout
2014.
Answer: C
Difficulty: Hard
Section Ref: Opening Case 5.1AACSB: Dynamics of the global economy
2. Almost half of the 2013 breaches occurred in ________, where the largest number of records
was exposed—more than 540 million data records or 66 percent.
a. Asia
b. China
c. Europe
d. The United States
Answer: D
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
2
3. Negative consequences of lax cybersecurity that companies tend to face include all of the
following except ________.
a. Damaged brands and reputations

b. Criminal charges
c. Financial penalties
d. Customer backlash
Answer: B
Difficulty: Easy
4. The main cause of data breaches is ________, which is so successful because of ________
when management does not do enough to defend against cyberthreats.
a. Hacking; highly motivated hackers

b. Hacking; negligence
c. Malware; BYOD
d. Malware; negligence
Answer: B
Difficulty: Medium
5. Boeing’s Black smartphone is secure because it ________.
a. Is self-destructing if tampered with.

b. Uses dual SIM cards
c. Communicates via satellite
d. Is an Android device
Answer: A
Difficulty: Easy
3
6. A(n) ________ attack bombards a network or website with traffic to crash it and leave it
vulnerable to other threats.
a. advanced persistent threat

b. distributed denial-of-service
c. malware
d. phishing
Answer: B
Difficulty: Medium
7. Attacks ________ could significantly disrupt the functioning of government and business—
and trigger cascading effects far beyond the targeted sector and physical location of the
incident.
a. By hacktivists
b. By hackers
c. On critical infrastructure
d. On industrial control systems
Answer: C
Difficulty: Hard
8. Which of the following represents a cybersecurity concern about employees using their own
smartphones for work purposes?
a. Employees will spend too much time playing games or using entertainment and
recreation apps, thus reducing productivity.
b. Managers will be unable to monitor the time spent on personal calls made during
work hours.
c. Many personal smartphones do not have anti-malware or data encryption apps,
creating a security problem with respect to any confidential business data stored
on the device.
d. Consumer-quality equipment are more likely to break or malfunction than
enterprise quality devices.
Answer: C
Difficulty: Medium
4
9. ________ is also known as human hacking—tricking users into revealing their credentials
and then using them to gain access to networks or accounts.
a. Android-hacking
b. BYOD
c. Hacktivism
d. Social engineering
Answer: D
Difficulty: Medium
10. Experts believe the three greatest cybersecurity dangers over the next few years will involve
all of the following except __________.
a. persistent threats
b. POS attacks
c. mobile computing
d. the use of social media
Answer: B
Difficulty: Hard
11. ____________ is/are defined as “systems and assets, whether physical or virtual, so vital to
the United States that the incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national public health or safety,
or any combination of those matters.”
a. Critical infrastructure
b. Cyber architecture
c. National networks
d. Strategic assets
Answer: A
Difficulty: Medium
5
12. ___________ tactics are used by hackers and corporate spies to trick people into revealing
login information or access codes.
a. Social engineering
b. Backdoor
c. BYOD
d. Password cracking
Answer: A
Difficulty: Medium
13. A stealth network attack in which an unauthorized person gains access to a network and
remains undetected for a long time is referred to as a(n) __________ attack.
a. registry denial
b. advanced persistent threat
c. DDOS
d. hacktivist
Answer: B
Difficulty: Medium
14. Cybercrime surveys have reported each of the following trends or findings except ________.
a. security incidents increased 33% despite implementation of security practices

b. current cybersecurity technologies and policies are simply not keeping pace with
fast-evolving threats.
c. Many threats and challenges that organizations face today were unimaginable 10
years ago.
d. Older threats such as fraud and identity theft have decreased significantly.
Answer: D
Difficulty: Hard
AACSB: Reflective thinking
6
15. A key of finding of the 2014 Global State of Information Security Survey was ________.
a. Too many companies are defending yesterday---that is, they rely on yesterday’s
cybersecurity practices that are ineffective at combating today’s threats.
b. Protecting all data at an equally high level is now practical and feasible.
c. Most companies implement stringent security policies before moving to cloud
computing, but not before implementing BYOD.
d. APTs require a new information-protection model that focuses on preventing
DDoS attacks.
Answer: A
Difficulty: Hard
16. Advanced persistent threat (APT) attackers want to ________.
a. create awareness for their causes

b. remain unnoticed so they can continue to steal data
c. conduct cyberwarfare
d. reveal weaknesses in business and government websites and then force them
offline.
Answer: B
Difficulty: Medium
17. According to cybersecurity experts, most data breaches go unreported because corporate
victims fear that disclosure would damage their stock price, or because ________.
a. they want to hide the attack from the government

b. they never knew they were hacked in the first place
c. they want to cover up the intrusion
d. they do not have to report them.
Answer: B
Difficulty: Hard
7
18. One source of cybersecurity threats today are ____________who breach networks in an
attempt to gain media attention or for their cause.
a. Hacktivists
b. Political criminals
c. Industrial spies
d. Social engineers
Answer: A
Difficulty: Easy
19. A(n) ________ is a hacker who quietly attempts to breach secure networks looking for trade
secrets or proprietary information.
a. Hacktivist
b. Political criminal
c. profit-motivated cybercriminalIndustrial spy
d. Identity thief
Answer: C
Difficulty: Medium
20. One of ________ specialties is finding websites with poor security, and then stealing and
posting information from them online.
a. LulzSec’s.
b. .RSA’s
c. Fraudsters’
d. Botmasters’
Answer: A
Difficulty: Medium
21. LulzSec and Anonymous are examples of ________ that have claimed responsibility for high
profile attacks designed to make a political statement, embarrass an organization or
government, or to gain publicity.
8
a. Hacktivists
b. Hostile government agents
c. Industrial spies
d. Cyber terrorists
Answer: A
Difficulty: Easy
22. The preferred method of hackers who want to steal trade secrets and other confidential
information from business organizations is ___________.
a. To bribe employees to get access codes and passwords.

b. To bombard websites or networks with so much traffic that they “crash”,
exposing sensitive data.
c. To break into employees’ mobile devices and leapfrog into employers’
networks—stealing secrets without a trace.
d. Use a combination of sophisticated hardware tools designed to defeat IT security
defenses.
Answer: C
Difficulty: Hard
23. U.S. cybersecurity experts and government officials are increasingly concerned about
breaches from __________ into corporate networks, either through mobile devices or by
other means.
a. Domestic terrorists
b. Amateur hackers
c. Organized crime syndicates based in the United States
d. Other countries
Answer: D
Difficulty: Hard
24. Government and corporate officials concerned about security threats do not bring their own
cell phones or laptops when traveling overseas. Instead, they bring loaner devices and follow
9
strict security procedures including not connecting to their domestic network while out of the
country. These procedures are referred to as _________.
a. Black Ops procedures

b. Do-Not-Carry rules
c. Foreign Threat Prevention procedures
d. Strict Security standards
Answer: B
Difficulty: Medium
25. The objectives of cybersecurity are to accomplish each of the following except _________.
a. Make data and documents available and accessible 24/7 while simultaneously
restricting access.
b. Promote secure and legal sharing of information among authorized persons and
partners.
c. Ensure compliance with supply chain business partners.
d. Detect, diagnose, and respond to incidents and attacks in real time.
Answer: C
Difficulty: Medium
26. In Cybersecurity terminology, a threat is defined as ________.
a. A weakness that threatens the confidentiality, integrity, or availability of data.

b. Something or someone that can damage, disrupt, or destroy an asset.
c. Estimated cost, loss, or damage that can result from an exploit.
d. Tools or techniques that take compromise a network.
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
27. In Cybersecurity terminology, a vulnerability is defined as ________:

10
d. Tools or techniques that take compromise a network.
Answer: A
Difficulty: Medium
28. In Cybersecurity terminology, a risk is defined as ________:

d. The probability of a threat exploiting a vulnerability and the resulting cost.
Answer: D
Difficulty: Medium
29. In Cybersecurity terminology, an exploit is defined as ________:

d. Tools or techniques that take advantage of a vulnerability.
Answer: D
Difficulty: Medium
30. Chris is a network manager for a large company. She receives daily updates about various
malware and then assesses how to best protect her organization’s network from attack. In
cybersecurity terminology, she is involved in __________.
a. Identifying exposure
b. Risk management
c. A security audit
d. Encryption defenses
Answer: B
Difficulty: Medium
11
31. The three key cybersecurity principles are:
a. Data protection, equipment protection, reputation protection

b. Confidentiality, integrity, availability
c. Anticipate, defend, counter-attack
d. Identify, assess risk, take action
Answer: B
Difficulty: Medium
32. When sending sensitive email, James uses a program that transforms data into unreadable
text to protect it from being understood by unauthorized users. James is using ________ to
protect his email communications.
a. Authentication
b. Defense-in-depth
c. Encryption
d. Hashing
Answer: C
Difficulty: Easy
33. Access to top secret or highly secure networks associated with Homeland Security or
national defense use authentication methods based on a biological feature, such as a
fingerprint or retinal scan to identify a person. These methods are called _____________.
a. Bio-Engineering
b. Physical security
c. Biometrics
d. Human factors
Answer: C
Difficulty: Medium
12
34. Most organizations use software or hardware devices to control access to their private
networks from the Internet by analyzing incoming and outgoing data packets. These devices
are called ___________.
a. Antimalware
b. Firewalls
c. Intrusion detection systems
d. Middleware
Answer: B
Difficulty: Easy
35. The ability of an IS to continue to operate when a failure occurs, but usually for a limited
time or at a reduced level is referred to as __________.
a. Fault tolerance
b. Hot site ready
c. Cold site ready
d. System override
Answer: A
Difficulty: Medium
36. IT professionals work hard to protect key characteristics of an asset from security breaches.
One of these characteristics is ________, or the avoidance of unauthorized disclosure of
information or data.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: B
Difficulty: Medium
13
One of these characteristics is ____________, or the property that data or files have not been
altered in an unauthorized way.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: A
Difficulty: Medium
One of these characteristics is _________, or the property that data is accessible and
modifiable when needed by those authorized to do so.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: C
Difficulty: Easy
39. In cybersecurity terms, the function of a password together with a username is to

__________ a user’s identity to verify that the person has the right to access a computer or
network.
a. Record
b. Authenticate
c. Substantiate
d. Validate
Answer: B
Difficulty: Easy
14
40. Intrusion Detection Systems (IDS) are designed to monitor network traffic and identify
threats that have breached the networks’ initial defenses. IDS identify all of the following
except:
a. An attacker who is trying to break into the credentials of a legitimate user in order
to gain access to an IS, device, or network.
b. A legitimate user who performs actions he is not authorized to do.
c. A user who tries to disguise or cover up his actions by deleting audit files or
system logs.
d. Employees who use computing or network resources inefficiently.
Answer: D
Difficulty: Easy
41. While security threats from e-mail viruses and malware have been declining for years as e-
mail security has improved, threats from __________ have increased considerably in recent
years.
a. Software errors
b. Malicious employees
c. Social networks and cloud computing
d. Vendor sabotage
Answer: C
Difficulty: Easy
Section Ref: 5.3 Mobile, App, and Cloud Security
42. Facebook, YouTube, Twitter, LinkedIn, and other social networks are making IT security
dangers worse. Why?
a. Users invite in and build relationships with others. Cybercriminals hack into these
trusted relationships using stolen log-in credentials.
b. E-mail viruses and malware have been increasing for years even though e-mail
security has improved.
c. Communication has shifted from social networks to smartphones.
d. Web filtering, user education, and strict policies cannot help prevent IT security
dangers on Facebook and other social networks.
Answer: A
Difficulty: Hard
Section Ref: 5. 3 Mobile, App, and Cloud Security
15
43. When new vulnerabilities are found in operating systems, applications, or wired and wireless
networks, vendors of those products release __________ or __________ to fix the
vulnerabilities.
a. Patches; service packs

b. Patches; downloads
c. Firewalls; spyware
d. Service packs; firewalls
Answer: A
Difficulty: Medium
Section Ref: 5. 3 Mobile, App, and Cloud Security
44. Which of the following is not a characteristic of money laundering and terrorist financing?
a. Transnational organized crime groups use money laundering to fund their

operations, which creates international and national security threats.
b. Cybercrime is safer and easier than selling drugs, dealing in black market
diamonds, or robbing banks.
c. Funds used to finance terrorist operations are easy to track, which provides
evidence to identify and locate leaders of terrorist organizations and cells.
d. Online gambling offers easy fronts for international money-laundering operations.
Answer: C
Difficulty: Medium
AACSB: Reflective thinking skills
45. Samuel received an email that looked like it came from his bank. The email told him to click
a link that opened an official looking Webpage where he was asked to enter his account
information. But when Samuel examined the URL, he noticed it was a strange address he did
not recognize. Most likely, someone was attempting to steal Samuel’s confidential
information using a technique called __________.
a. Botnets
b. Phishing
c. Spoofing
d. Click hijacking
Answer: B
16
Difficulty: Medium
46. In the United States, the Sarbanes–Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB),
Federal Information Security Management Act (FISMA), and USA Patriot Act all require
businesses to __________________________.
a. Report security breaches via media sources to inform the public

b. Backup sensitive data to offsite locations
c. Protect personally identifiable information
d. Inform the public about network failures in a timely manner
Answer: C
Difficulty: Hard
47. The director of the Federal Trade Commission (FTC) bureau of consumer protection warned
that the agency would bring enforcement action against small businesses that ________
a. failed to inform the public about network failures in a timely manner

b. failed to transmit sensitive data
c. did not report security breaches to law enforcement
d. lacked adequate policies and procedures to protect consumer data.
Answer: D
Difficulty: Hard
48. The principle of ________ acknowledges that the cost of information security needs to be
balanced with its benefits. It is the basic cost–benefit principle with which you are familiar.
a. accounting
b. economic use of resources
c. legality
d. COBIT
Answer: B
Difficulty: Medium
17
49. ________ is the supervision, monitoring, and control of an organization’s IT assets.
a. IT governance
b. Internal control
c. PCI DSS
d. FISMA
Answer: A
Difficulty: Medium
50. The purpose of the ________ is to improve customers’ trust in e-commerce, especially when
it comes to online payments, and to increase the Web security of online merchants.
a. IT governance
b. Internal control
c. PCI DSS
d. FISMA
Answer: C
Difficulty: Medium
51. The IT security defense-in-depth model starts with ________.
a. Senior management commitment and support

b. IT security procedures and enforcement
c. Hardware and software selection
d. Acceptable use policies and IT security training
Answer: A
Difficulty: Medium
52. The IT security defense-in-depth model ends with ________.
a. Senior management commitment and support
18
b. IT security procedures and enforcement
c. Hardware and software selection
d. Acceptable use policies and IT security training
Answer: C
Difficulty: Medium
53. Cybersecurity is ___________.
a. an ongoing unending process

b. a problem that is solved with hardware or software
c. defined in the AUP that is enforced periodically
d. primarily the responsibility of the IT and legal departments
Answer: A
Difficulty: Medium
54. Which of the following statements about malware is false?
a. Technically, malware is a computer program or code that can infect anything

attached to the Internet and is able to process the code.
b. Setting an e-mail client, such as Microsoft Outlook or Gmail, to allow scripting
blocks malware.
c. RATS create an unprotected backdoor into a system through which a hacker can
remotely control that system.
d. The payload carries out the purpose of the malware.
Answer: B
Difficulty: Medium
55. Most APT attacks are launched through ________.
a. Data tampering
b. Worms
c. Phishing
d. Vectors
19
Answer: C
Difficulty: Medium
56. Storm worm, which is spread via spam, is a ________ agent embedded inside over 25
million computers. Storm’s combined power has been compared to the processing power of
________.
a. botnet; a supercomputer
b. spyware; a DDoS attack
c. vector; zombies
d. spear phishing; a server
Answer: A
Difficulty: Hard
57. Sometimes system failures and data or information loss can result from reasons other than an
intentional attempt to breach security. Unintentional threats are all of the following except
___________.
a. Political/civic unrest
b. Human errors
c. Environmental hazards
d. Computer systems failures
Answer: A
Difficulty: Medium
58. __________ is the elapsed time between when vulnerability is discovered and when it is
exploited and has shrunk from months to __________.
a. Time-to-exploitation; days
b. Time-to-exploitation; minutes
c. Denial of service; days
d. Denial of service; seconds
Answer: B
Difficulty: Hard
20
59. Most information security incidents will occur because of _________.
a. Increases in hacker skills and capabilities

b. Poorly designed network protection software
c. Increasing sophistication of computer viruses and worms
d. Users who do not follow secure computing practices and procedures
Answer: D
Difficulty: Hard
60. The Payment Card Industry Data Security Standard (PCI DSS) created by Visa, MasterCard,
American Express, and Discover is a __________.
a. Set of standards required by U.S. and international law for protecting credit card
transaction data.
b. Set of industry standards required for all online merchants that store, process, or
transmit cardholder data.
c. Set of voluntary security guidelines for retailers who accept Visa, MasterCard,
American Express, and Discover credit cards.
d. Set of regulations (that vary from state to state, and country to country) that apply
to credit card companies.
Answer: B
Difficulty: Hard
61. Social networks and cloud computing have increased vulnerabilities in all of the following
ways except ________.
a. by providing a single point of failure and attack for organized criminal networks
b. In Twitter and Facebook, users invite in and build relationships with others.
Cybercriminals hack into these trusted relationships using stolen logins.
c. Twitter’s use of service packs and patches have not been effective.
d. These networks and services increase exposure to risk because of the time-to-
exploitation of today’s sophisticated spyware and mobile viruses
Answer: C
Difficulty: Medium
21
62. Business operations are controlled by apps, systems, and networks that are so interconnected
that anyone’s ________ is an entry point for attacks.
a. mobile device
b. botnet
c. BYOD
d. firewall
Answer: A
Difficulty: Medium
63. Voice and fingerprint _______ can significantly improve the security of physical devices and
provide stronger authentication for remote access or cloud services.
a. cryptography
b. biometrics
c. encryption
d. visualization
Answer: B
Difficulty: Medium
64. Crime can be divided into two categories depending on the tactics used to carry out the
crime: ________.
a. Fraud and felonies

b. Occupational and opportunistic
c. Lethal and misdemeanors
d. violent and nonviolent
Answer: D
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
22
65. __________ are essential to the prevention and detection of occupation frauds
a. Anti-malware and firewalls

b. Internal audits and internal controls
c. Encryption and IDS
d. AUPs
Answer: B
Difficulty: Medium
66. The single-most effective fraud prevention tactic is making employees know that ________.
a. fraudsters will be fired

b. fraudsters will be forced to repay what they stole plus interest
c. fraud could destroy the company and jobs.
d. fraud will be detected by IT monitoring systems and punished by the legal system.
Answer: D
Difficulty: Medium
AACSB: Ethical understanding and reasoning abilities
23
67. When it comes to fraud committed by an organization’s employees, the single most effective
fraud prevention technique is _______.
a. Holding managers responsible for the actions of their employees

b. Peer monitoring (employees monitor each other)
c. Creating the perception that fraud will be detected and punished
d. A clearly written employee policy manual that explains unacceptable behaviors
Answer: C
Difficulty: Hard
68. ________ is the most cost-effective approach to fraud.
a. Detection
b. Lawsuits
c. Prevention
d. Prosecution
Answer: C
Difficulty: Medium
69. ___________ is a term referring to a variety of criminal behaviors perpetrated by an

organization’s own employees or contractors.
a. Managerial corruption
b. Insider or internal fraud
c. Corporate fraud
d. Intentional fraud
Answer: B
Difficulty: Medium
24
70. When it comes to defending against employee fraud, regulators look favorably on companies
that can demonstrate good __________ and best practices in operational risk management.
a. Corporate governance
b. Access to legal counsel
c. Relationships with security vendors
d. Awareness of industry standards
Answer: A
Difficulty: Hard
71. Detecting internal fraud has become sophisticated. Audit trails from key systems and
personnel records are stored in data warehouses and subjected to __________ where things
like excessive hours worked, unusual transactions, copying of huge amounts of data and
other unusual patterns of behavior are identified.
a. Security audits
b. Pattern analysis
c. Behavior recognition scans
d. Anomaly detection analysis
Answer: D
Difficulty: Hard
72. People who have their social security or credit card numbers stolen and used by thieves are
frequently victims of ___________________.
a. Insider fraud
b. Identity theft
c. Occupational corruption
d. Document sabotage
Answer: B
Difficulty: Hard
25
73. Internal fraud prevention and detection measures are based on __________ and __________.
a. A detailed recovery plan; containment, including a fault-tolerant system

b. Perimeter defense technologies, such as e-mail scanners; human resource
procedures, such as recruitment screening
c. General controls; application controls
d. Physical controls, including authorization; authentication systems
Answer: B
Difficulty: Hard
74. The _________ is an exercise that determines the impact of losing the support or availability
of a resource.
a. Business impact analysis (BIA)

b. Vulnerability audit
c. Asset valuation audit
d. Computing Cost/Benefit (CCB) audit
Answer: A
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
75. The cybersecurity defense strategy and controls that should be used depend on __________.
a. The source of the threat

b. Industry regulations regarding protection of sensitive data
c. What needs to be protected and the cost-benefit analysis
d. The available IT budget
Answer: C
Difficulty: Medium
26
76. A defense strategy requires several controls. _________are established to protect the system
regardless of the specific application.
a. Application controls
b. Physical controls
c. General controls
d. Authentication controls
Answer: C
Difficulty: Medium
77. A defense strategy requires several controls. ___________ protect computer facilities and
resources such as computers, data centers, software, manuals, and networks.
a. Application controls
b. Physical controls
c. General controls
d. Authentication controls
Answer: B
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
78. Physical security includes several controls. Which of the following is not a type of physical
control?
a. Security bonds or malfeasance insurance for key employees

b. Emergency power shutoff and backup batteries
c. Shielding against electromagnetic fields
d. Properly designed and maintained air-conditioning systems
Answer: A
Difficulty: Medium
27
79. Which of the following is not a type of administrative control for information assurance and
risk management?
a. Fostering company loyalty

b. Immediately revoking access privileges of dismissed, resigned, or transferred
employees
c. Instituting separation of duties by dividing sensitive computer duties among as
many employees as economically feasible
d. Performing authorization and authentication
Answer: D
Difficulty: Medium
80. The internal control environment is the work atmosphere that a company sets for its
employees and is designed to achieve all of the following except _________.
a. Reliability of financial reporting

b. Secure decision making
c. Compliance with laws
d. Compliance with regulations and policies
Answer: B
Difficulty: Hard
81. All of the following describe The Sarbanes-Oxley Act except:
a. Is an antifraud law
b. Forces more accurate business reporting and disclosure of GAAP (generally
accepted accounting principles) violations.
c. Makes it necessary to find and root out fraud.
d. Has been adopted by all countries in North American and the European Union
Answer: D
Difficulty: Medium
AACSB:
28
82. An audit is an important part of any control system. Which of the following is not a question
that would typically be asked as part of an information systems audit?
a. Are there sufficient controls in the system? Which areas are not covered by
controls?
b. Are the controls effective and implemented properly?
c. What is the ROI associated with system controls?
d. Are there procedures to ensure reporting and corrective actions in case of
violations of controls?
Answer: C
Difficulty: Hard
29
True/False
1. The consequences of lax cybersecurity include damaged reputations, financial penalties,

government fines, lost market share, falling share prices, and consumer backlash.
Answer: True
Difficulty: Easy
AACSB: Dynamics of the global economy
2. The main cause of a data breach is malware, but the reason hacking is so successful is
negligence—management not doing enough to defend against cyberthreats.
Answer: False
Difficulty: Medium
3. Robust data security is the responsibility of IT and data managers.
Answer: False
Difficulty: Medium
4. Countering cyber-threats demands diligence, determination, and investment.
Answer: True
Difficulty: Medium
5. Cyber-security experts warn that battling distributed denial-of-service and malware attacks
has become part of everyday business for all organizations.
Answer: True
Difficulty: Medium
30
6. Managers should expect less tolerant regulators and greater fines and negative consequences
for data breaches, according to KPMG.
Answer: True
Difficulty: Medium
7. Powerful IT security systems are needed to defend against what appears to be authorized
access to a network or application.
Answer: False
Difficulty: Medium
8. It is often easy to get users to infect their corporate network or mobiles by tricking them into
downloading and installing malicious apps or backdoors.
Answer: True
Difficulty: Medium
9. When an employee’s device is lost, the company can suffer a data breach if the device is not
encrypted.
Answer: True
Difficulty: Medium
10. Since protecting all data at an equally high level is not practical, cybersecurity strategies need
to classify and prioritize defenses.
Answer: True
Difficulty: Medium
31
11. Botnets are stealth network attacks in which an unauthorized person gains access to a
network and remains undetected for a long time to steal data continuously.
Answer: False
Difficulty: Medium
12. Most data breaches go unreported, according to cybersecurity experts, because corporate
victims fear that disclosure would damage their stock price, or because they never knew they
were hacked in the first place
Answer: True
Difficulty: Medium
13. The smart strategy is to invest more to protect the company’s most valuable assets rather than
try to protect all assets equally.
Answer: True
Difficulty: Easy
14. Exploits are gaps, holes, weaknesses, or flaws in corporate networks, IT security defenses,
user training, policy enforcement, data storage, software, operating systems, apps, or mobile
devices that expose an organization to intrusions or other attacks.
Answer: False
Difficulty: Medium
15. Vulnerabilities exist in networks, OSs, apps, databases, mobile devices, and cloud
environments. These vulnerabilities are attack vectors for malware, hackers, hactivists, and
organized crime.
Answer: True
Difficulty: Medium
32
16. Risk is the probability of a threat successfully exploiting a vulnerability and the estimated
cost of the loss or damage.
Answer: True
Difficulty: Medium
17. Hacking is an industry with its own way of operating, a workforce, and support services,
such as contract hackers.
Answer: True
Difficulty: Easy
18. Firewalls and intrusion detection systems (IDS) mostly protect against internal threats.
Answer: False
Difficulty: Medium
19. Phishing is a deceptive method of stealing confidential information by pretending to be a

legitimate organization, such as PayPal, a bank, credit card company, or other trusted source.
Answer: True
Difficulty: Medium
20. Online gambling offers easy fronts for international money-laundering operations.
Answer: True
Difficulty: Medium
21. Hardware and software security defenses are important because they protect against
irresponsible business practices.
33
Answer: False
Difficulty: Medium
22. One of the biggest mistakes managers make is underestimating IT vulnerabilities and threats.
Answer: True
Difficulty: Easy
23. Most viruses, trojans, and worms are activated when an attachment is opened or a link is
clicked.
Answer: True
Difficulty: Medium
24. When a host computer is infected, attempts to remove the malware may fail—and the
malware may reinfect the host during a restore if the malware is captured in backups or
archives.
Answer: True
Difficulty: Medium
25. Botnets often target select groups of people with something in common—they work at the
same company, bank at the same financial institution, or attend the same university
Answer: False
Difficulty: Medium
26. Social networks and cloud computing increase vulnerabilities by providing a single point of
failure and attack for organized criminal networks.
34
Answer: True
Difficulty: Medium
27. Enterprises take risks with BYOD practices that they never would consider taking with
conventional computing devices.
Answer: True
Difficulty: Medium
28. According to a Mobile Phone report, 17 rogue apps managed to get into Google Play and
they were downloaded over 700,000 times before being removed. Rogue mobile apps can
contain malware or launch phishing attacks.
Answer: True
Difficulty: Medium
29. Fraudsters carry out their crime by threatening others and by taking advantage of their fears
of job loss or disciplinary action.
Answer: False
Difficulty: Medium
30. During the fraud investigation of Bernie Madoff, computer forensics experts were tasked
with uncovering digital messages that revealed “who knew what” and “who did what.”
Answer: True
Difficulty: Medium
31. Internal fraud prevention measures are based on the same controls used to prevent external
intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric
access.
35
Answer: True
Difficulty: Medium
32. SOX and the SEC regulators are making it clear that if controls can be ignored, there is no
control. Therefore, fraud prevention and detection require an effective monitoring system.
Answer: True
Difficulty: Medium
33. Approximately 25 percent of occupational fraud could have been prevented if proper IT-
based internal controls had been designed, implemented, and followed
Answer: False
Difficulty: Medium
34. Detection and damage containment are the most desirable fraud controls.
Answer: False
Difficulty: Medium
35. A biometric control is an automated method of verifying the identity of a person, based on
physical or behavioral characteristics.
Answer: True
Difficulty: Medium
36. A business impact analysis estimates the consequences of disruption of a business function
and collects data to develop recovery strategies.
Answer: True
36
Difficulty: Medium
37
Short Answer
1. The practice of people bringing and using their own mobile devices for work purposes is
called _________.
Answer: Bring your own device (BYOD)

Difficulty: Easy
2. ____________ tactics are used by hackers and corporate spies to trick people into revealing
Answer: Social engineering

Difficulty: Medium
3. A stealth network attack in which an unauthorized person gains access to a network and
remains undetected for a long time is referred to as a(n) ___________ attack.
Answer: Advanced Persistent Threat (APT)

Difficulty: Medium
4. One source of cybersecurity threats today are _____________, who hack for their own
causes and attempt to gain media attention.
Answer: Hacktivists
Difficulty: Easy
5. _________________ is a type of attack where a web site or network is bombarded with

traffic to make it crash.
Answer: Distributed denial of service (DDoS)

Difficulty: Medium
38
6. In Cybersecurity terminology, a(n) __________is defined as something or someone that may
result in harm to an asset.
Answer: threat
Difficulty: Medium
7. In Cybersecurity terminology, a(n) __________ is defined as a weakness that threatens the

confidentiality, integrity, or availability of an asset.
Answer: vulnerability
Difficulty: Medium
8. In Cybersecurity terminology, a(n) _____________ is defined as the probability of a threat

exploiting a vulnerability and the resulting cost.
Answer: Risk
Difficulty: Medium
9. In Cybersecurity terminology, a(n) ____________ is defined as the estimated cost, loss, or

damage that can result from an exploited vulnerability.
Answer: Exposure
Difficulty: Medium
10. In Cybersecurity terminology, a(n) __________ is defined as a tool or technique that takes
advantage of a vulnerability.
Answer: Exploit
Difficulty: Medium
39
11. When sending sensitive email, James uses a program that transforms data into scrambled
code to protect it from being understood by unauthorized users. James is using ___________
to protect his email communications.
Answer: Encryption
Difficulty: Easy
12. In the United States, the Sarbanes–Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB),
Federal Information Security Management Act (FISMA), and USA Patriot Act all require
businesses to protect PII, which stands for _______________.
Answer: Personally identifiable information

Difficulty: Medium
13. Access to top secret or highly secure networks associated with Homeland Security or
national defense often use authentication methods based on a biological feature, such as a
fingerprint or retina to identify a person. These methods are called ____________.
Answer: biometrics
Difficulty: Medium
14. _______ are software programs that users download and install to fix a vulnerability.
Answer: Patches
Difficulty: Easy
15. ______________ are designed to monitor network traffic and identify threats that may have
breached the networks initial defenses.
Answer: Intrusion Detection Systems (IDS)

Difficulty: Medium
40
16. _____________ is the elapsed time between when vulnerability in a software app or system
is discovered and when it’s exploited.
Answer: Time-to-exploitation
Difficulty: Hard
17. Malware infected computers can be organized into networks called ________.
Answer: Botnets
Difficulty: Easy
18. _________ is a term referring to a variety of deceptive behaviors perpetrated by an

organization’s own employees or contractors.
Answer: Insider or internal fraud

Difficulty: Medium
19. When it comes to reducing employee fraud, regulators look favorably on companies that can
demonstrate good __________ and best practice operational risk management.
Answer: Corporate governance

Difficulty: Medium
20. _____________detection identifies things like excessive hours worked, unusual transactions,
copying of huge amounts of data and other unusual patterns of behavior, and uses them to
alert IT managers to the possibility of internal fraud.
Answer: Anomaly
Difficulty: Hard
41
21. The SEC and FTC impose huge fines for __________ in order to deter companies from
under-investing in data protection.
Answer: Data breaches

Difficulty: Medium
AACSB:
22. Indicators of fraud are called __________.
Answer: red flags

Difficulty: Medium
23. __________ is a process designed to achieve reliable financial reporting in order to protect
investors and comply with regulations.
Answer: Internal control

Difficulty: Medium
24. __________ controls can verify a user’s identity, which creates the problem of privacy
invasion.
Answer: Biometric
Difficulty: Medium
25. A __________ estimates the consequences of disruption of a business function and collects
data to develop recovery strategies.
Answer: business impact analysis (BIA)

Difficulty: Medium
42
Essay Questions
1. Define social engineering. Describe two ways in which social engineering could be used to
obtain credentials from a user in order to gain access to an account or network.
Answer:
Social engineering tactics are used by hackers and corporate spies to trick people into revealing
Answers to the second question will vary. For example, students could describe phishing tactics
or other methods to motivate users to click a link or download an app that is infected.
Difficulty: Medium
2. Why are internal threats a major challenge for organizations? How can internal threats be
minimized?
Answer:
Threats from employees, referred to as internal threats, are a major challenge largely due to the
many ways an employee can carry out malicious activity. Insiders may be able to bypass
physical security (e.g., locked doors) and technical security (e.g., passwords) measures that
organizations have in place to prevent unauthorized access. Why? Because defenses such as
firewalls, intrusion detection systems (IDS), and locked doors mostly protect against external
threats.
Insider incidents can be minimized with a layered defense strategy consisting of security
procedures, acceptable use policies, and technology controls.
Difficulty: Medium
3. Describe spear phishing. How does spear phishing work?
Answer:
Spear phishers often target select groups of people with something in common—they work at the
same company, bank at the same financial institution, or attend the same university. The scam e-
mails appear to be sent from organizations or people the potential victims normally receive e-
mails from, making them even more deceptive.
Here is how spear phishing works:
43
1. Spear phish creators gather information about people’s companies and jobs from social
media or steal it from computers and mobile devices. Then they use the information to
customize messages that trick users into opening an infected e-mail.
2. Then they send e-mails that look like the real thing to targeted victims, offering all sorts of
urgent and legitimate-sounding explanations as to why they need your personal data.
3. Finally, the victims are asked to click on a link inside the e-mail that takes them to a phony
but realistic-looking website, where they are asked to provide passwords, account numbers,
user IDs, access codes, PINs, and so on.
Difficulty: Hard
4. Discuss how social networks and cloud computing increase IT security risks. How do you
recommend that the risks be reduced?
Answer:
Answers will vary.

Social networks and cloud computing increase vulnerabilities by providing a single point of
failure and attack. Critical, sensitive, and private information is at risk, and like previous IT
trends, such as wireless networks, the goal is connectivity, often with little concern for security.
As social networks increase their services, the gap between services and cybersecurity also
increases. E-mail viruses and malware have been declining for years as e-mail security has
improved. This trend continues as communication shifts to social networks and newer
smartphones. Unfortunately, malware finds its way to users through security vulnerabilities in
these new services and devices. Web filtering, user education, and strict policies are necessary to
help prevent widespread outbreaks. In Twitter and Facebook, users invite in and build
relationships with others. Cybercriminals hack into these trusted relationships using stolen log-
ins. Fake antivirus and other attacks that take advantage of user trust are very difficult to detect.
Difficulty: Medium
44
5. Explain internal fraud. Describe the most effective approach to preventing it.
Answer:
Internal fraud refers to the deliberate misuse of the assets of one’s employer for personal gain.
Internal audits and internal controls are essential to the prevention and detection of occupation
frauds.
The single-most-effective fraud prevention technique is the perception of detection and
punishment. If a company shows its employees that it can find out everything that every
employee does and will prosecute to the fullest extent anyone who commits fraud, then the
feeling that “I can get away with it” drops drastically. In addition, companies may use a
combination of defenses including intelligent analysis, audit trails, and anomaly detection.
Difficulty: Hard
45

Information Technology For Management Digital Strategies For Insight Action and Sustainable Performance 10th Edition Turban Test Bank 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Technology For Management Digital Strategies For Insight Action and Sustainable Performance 10th Edition Turban Test Bank 1

Uploaded by

Copyright:

Available Formats

INFORMATION TECHNOLOGY FOR

MANAGEMENT DIGITAL STRATEGIES FOR

Full download at link:

Test bank: https://testbankpack.com/p/test-bank-for-information-

Solution Manual: https://testbankpack.com/p/solution-manual-for-

Chapter 5: CyberSecurity and Risk Management

a. Damaged brands and reputations

a. Hacking; highly motivated hackers

5. Boeing’s Black smartphone is secure because it ________.

a. Is self-destructing if tampered with.

a. advanced persistent threat

a. security incidents increased 33% despite implementation of security practices

16. Advanced persistent threat (APT) attackers want to ________.

a. create awareness for their causes

a. they want to hide the attack from the government

a. To bribe employees to get access codes and passwords.

a. Black Ops procedures

26. In Cybersecurity terminology, a threat is defined as ________.

a. A weakness that threatens the confidentiality, integrity, or availability of data.

27. In Cybersecurity terminology, a vulnerability is defined as ________:

a. A weakness that threatens the confidentiality, integrity, or availability of data.

28. In Cybersecurity terminology, a risk is defined as ________:

a. A weakness that threatens the confidentiality, integrity, or availability of data.

29. In Cybersecurity terminology, an exploit is defined as ________:

a. A weakness that threatens the confidentiality, integrity, or availability of data.

31. The three key cybersecurity principles are:

a. Data protection, equipment protection, reputation protection

39. In cybersecurity terms, the function of a password together with a username is to

a. Patches; service packs

a. Transnational organized crime groups use money laundering to fund their

a. Report security breaches via media sources to inform the public

a. failed to inform the public about network failures in a timely manner

51. The IT security defense-in-depth model starts with ________.

a. Senior management commitment and support

52. The IT security defense-in-depth model ends with ________.

a. Senior management commitment and support

53. Cybersecurity is ___________.

a. an ongoing unending process

54. Which of the following statements about malware is false?

a. Technically, malware is a computer program or code that can infect anything

55. Most APT attacks are launched through ________.

59. Most information security incidents will occur because of _________.

a. Increases in hacker skills and capabilities

a. Fraud and felonies

a. Anti-malware and firewalls

a. fraudsters will be fired

a. Holding managers responsible for the actions of their employees

68. ________ is the most cost-effective approach to fraud.

69. ___________ is a term referring to a variety of criminal behaviors perpetrated by an

a. A detailed recovery plan; containment, including a fault-tolerant system

a. Business impact analysis (BIA)

a. The source of the threat

a. Security bonds or malfeasance insurance for key employees

a. Fostering company loyalty

a. Reliability of financial reporting

81. All of the following describe The Sarbanes-Oxley Act except:

1. The consequences of lax cybersecurity include damaged reputations, financial penalties,

3. Robust data security is the responsibility of IT and data managers.

4. Countering cyber-threats demands diligence, determination, and investment.

19. Phishing is a deceptive method of stealing confidential information by pretending to be a

Answer: Bring your own device (BYOD)

Answer: Social engineering

Answer: Advanced Persistent Threat (APT)