Professional Documents
Culture Documents
Course Title: IS 5e
Chapter Number: 4
1) Having one backup of your business data is sufficient for security purposes.
Answer: False
2) The security of each computer on the Internet is independent of the security of all other computers on the Internet.
Answer: False
Answer: True
4. Human errors cause more than half of the security-related problems in many organizations.
Answer: True
5) The higher the level of an employee in organization, the greater the threat that he or she poses to the organization.
Answer: True
Title: Assessment Question 4.05
Learning Objective 1: LO 4.2 Compare and contrast human mistakes and social engineering, providing an example for
each.
Section Reference 1: Unintentional Threats to Information Systems
Difficulty: Easy
Answer: False
Answer: True
8) Trojan horses are software programs that hide in other computer programs and reveal their designed behavior only
when they are activated.
Answer: True
Answer: False
10) In most cases, cookies track your path through Web sites and are therefore invasions of your privacy.
Answer: True
Answer: True
12) Supervisory control and data acquisition (SCADA) systems require human data input.
Answer: False
Answer: False
Answer: True
15) Risk analysis involves determining whether security programs are working.
Answer: False
17) Organizations utilize layers of controls because they face so many diverse threats to information security.
Answer: True
18) Public-key encryption uses two different keys, one public and one private.
Answer: True
Answer: True
Answer: True
21) The area located between two firewalls within an organization is called the demilitarized zone.
Answer: True
Answer: False
23) A URL that begins with https rather than http indicates that the site transmits using an extra layer of security called
transport layer security.
Answer: True
24) Which of the following factors is not increasing the threats to information security?
Answer: d
a) More information systems and computer science departments are teaching courses on hacking so that their graduates
can recognize attacks on information assets.
b) Computer attack programs, called scripts, are available for download from the Internet.
c) International organized crime is training hackers.
d) Cybercrime is much more lucrative than regular white-collar crime.
e) Almost anyone can buy or access a computer today.
Answer: b
26) Rank the following in terms of dollar value of the crime, from highest to lowest.
Answer: c
a) vulnerability
b) risk
c) control
d) threat
e) compromise
Answer: d
28) An information system’s _____ is the possibility that the system will be harmed by a threat.
a) vulnerability
b) risk
c) control
d) danger
e) compromise
Answer: a
Answer: d
30) Employees in which functional areas of the organization pose particularly grave threats to information security?
Answer: b
31) Unintentional threats to information systems include all of the following except:
a) malicious software
b) tailgating
c) power outage
d) lack of user experience
e) tornados
Answer: a
Title: Assessment Question 4.31
Learning Objective 1: LO 4.2 Compare and contrast human mistakes and social engineering, providing an example for
each.
Section Reference 1: Unintentional Threats to Information Systems
Difficulty: Medium
32) _____ involves building an inappropriate trust relationship with employees for the purpose of gaining sensitive
information or unauthorized access privileges.
a) Tailgating
b) Hacking
c) Spoofing
d) Social engineering
e) Spamming
Answer: d
33) The cost of a stolen laptop includes all of the following except:
Answer: c
Answer: c
Answer: e
36) A _____ is intellectual work that is known only to a company and is not based on public information.
a) copyright
b) patent
c) trade secret
d) knowledge base
e) private property
Answer: c
37) A pharmaceutical company’s research and development plan for a new class of drugs would be best described as
which of the following?
a) Copyrighted material
b) Patented material
c) A trade secret
d) A knowledge base
e) Public property
Answer: c
38) A _____ is a document that grants the holder exclusive rights on an invention for 20 years.
a) copyright
b) patent
c) trade secret
d) knowledge base
e) private property notice
Answer: b
39) An organization’s e-mail policy has the least impact on which of the following software attacks?
a) virus
b) worm
c) phishing
e) zero-day
e) spear phishing
Answer: d
40) _____ are segments of computer code that attach to existing computer programs and perform malicious acts.
a) Viruses
b) Worms
c) Trojan horses
d) Back doors
e) Logic bombs
Answer: a
41) _____ are software programs that hide in other computer programs and reveal their designed behavior only when they
are activated.
a) Viruses
b) Worms
c) Trojan horses
d) Back doors
e) Logic bombs
Answer: e
42) _____ are segments of computer code embedded within an organization’s existing computer programs that activate
and perform a destructive action at a certain time or date.
a) Viruses
b) Worms
c) Trojan horses
d) Back doors
e) Logic bombs
Answer: e
43) A _____ attack uses deception to fraudulently acquire sensitive personal information by masquerading as an official e-
mail.
a) Zero-day
b) Denial-of-service
c) Distributed denial-of-service
d) Phishing
e) Brute force dictionary
Answer: d
44) In a _____ attack, a coordinated stream of requests is launched against a target system from many compromised
computers at the same time.
a) phishing
b) zero-day
c) worm
d) back door
e) distributed denial-of-service
Answer: e
a) Alien software
b) Virus
c) Worm
d) Back door
e) Logic bomb
Answer: a
46) Which of the following is(are) designed to use your computer as a launch pad for sending unsolicited e-mail to other
computers?
a) Spyware
b) Spamware
c) Adware
d) Viruses
e) Worms
Answer: b
47) When companies attempt to counter _____ by requiring users to accurately select characters in turn from a series of
boxes, attackers respond by using _____.
Answer: a
48) _____ is the process in which an organization assesses the value of each asset being protected, estimates the
probability that it will be compromised, and compares the probable costs of an attack with the costs of protecting the
asset.
a) Risk management
b) Risk analysis
c) Risk mitigation
d) Risk acceptance
e) Risk transference
Answer: b
a) Credit card companies usually block stolen credit cards rather than prosecute.
b) People tend to shortcut security procedures because the procedures are inconvenient.
c) It is easy to assess the value of a hypothetical attack.
d) The online commerce industry isn’t willing to install safeguards on credit card transactions.
e) The cost of preventing computer crimes can be very high.
Answer: c
a) risk management
b) risk analysis
c) risk mitigation
d) risk acceptance
e) risk transference
Answer: c
Difficulty: Easy
51) Which of the following is not a strategy for mitigating the risk of threats against information?
a) Continue operating with no controls and absorb any damages that occur
b) Transfer the risk by purchasing insurance.
c) Implement controls that minimize the impact of the threat
d) Install controls that block the risk.
e) All of the above are strategies for mitigating risk.
Answer: e
52) In _____, the organization purchases insurance as a means to compensate for any loss.
a) risk management
b) risk analysis
c) risk mitigation
d) risk acceptance
e) risk transference
Answer: e
53) Which of the following statements concerning the difficulties in protecting information resources is not correct?
Answer: c
54) _____ controls are concerned with user identification, and they restrict unauthorized individuals from using
information resources.
a) Access
b) Physical
c) Data security
d) Administrative
e) Input
Answer: a
Answer: b
Answer: a
Answer: e
Answer: e
Answer: e
a) IloveIT
b) 08141990
c) 9AmGt/*
d) Rainer
e) InformationSecurity
Answer: c
61) Bob is using public key encryption to send a message to Ted. Bob encrypts the message with Ted’s _____ key, and
Ted decrypts the message using his _____ key.
a) public, public
b) public, private
c) private, private
d) private, public
e) none of these
Answer: b
Answer: d
63) In a process called _____, a company allows nothing to run unless it is approved, whereas in a process called _____,
the company allows everything to run unless it is not approved.
a) whitelisting, blacklisting
b) whitelisting, encryption
c) encryption, whitelisting
d) encryption, blacklisting
e) blacklisting, whitelisting
Answer: a
64) Organizations use hot sites, warm sites, and cold sites to insure business continuity. Which of the following statements
is not true?
Answer: c
65) Compare trade secrets, patents, and copyrights as forms of intellectual property.
Answer:
66) Contrast unintentional and deliberate threats to an information resource. Provide examples of both.
Answer:
67) Contrast the following types of remote attacks: virus, worm, phishing, and spear phishing.
Answer:
68) Contrast the following types of attacks created by programmers: Trojan horse, back door, and logic bomb
Answer:
Answer:
Answer:
Answer:
72) Compare a hot site, a warm site, and a cold site as strategies for business continuity.
Answer:
Answer:
Answer:
75) Define identity theft, and explain the types of problems that it creates for the victims.
Answer:
76) Discuss the possible consequences of a terrorist attack on a supervisory control and data acquisition (SCADA) system.
Answer:
77) Define the principle of least privilege, and consider how an organization’s senior executives might view the
application of this principle.
Answer:
Answer:
Answer:
80) You start a dog-walking service, and you store your client’s records on your cell phone. You don’t need to worry
about information security.
Answer: False
81) Your company’s headquarters was just hit head on by a hurricane, and the building has lost power. The company
sends you to their hot site to minimize downtime from the disaster. Which of the following statements is true?
Answer: d
82) You receive an e-mail from your bank informing you that they are updating their records and need your password.
Which of the following statements is true?
83) You start a new job, and the first thing your new company wants you to do is create a user ID and a password. Which
of the following would be a strong password?
Answer: e
84) You start a new job, and human resources gives you a ten-page document that outlines the employee responsibilities
for information security. Which of the following statements is most likely to be true?
a) The document recommends that login passwords be left on a piece of paper in the center desk drawer so that others can
use the laptop if necessary.
b) You are expected to read the document, and you could be reprimanded if you don’t follow its guidelines.
c) You can back up sensitive data to a thumb drive so you can take them home to work with.
d) The document indicates that you can leave your laptop unlocked if you leave your desk for less than an hour.
e) The document permits you to lend your laptop to your brother for the weekend.
Answer: b
85) Tim ventured out into the world of retail by renting a cart at a local mall. His product is personalized coffee mugs. He
uses his laptop to track sales and to process credit card sales. He has a customer mailing list that is updated by customers
on the laptop as well. At the end of each day, Tim backs up all of his data to a thumb drive and puts the drive into the
laptop case with the laptop. Discuss Tim’s information security strategy.
Answer:
Title: Assessment Question 4.85
Learning Objective 1: LO 4.5 Identify the three major types of controls that organizations can use to protect their
information resources, providing an example for each.
Section Reference 1: Information Security Controls
Difficulty: Medium