ISC2 CYBERSECURITY 2026 STUDY GUIDE QUESTIONS AND
ANSWERS RATED A+
✔✔What is the purpose of a Digital Signature? - ✔✔To verify the sender's identity and
ensure message integrity and non-repudiation. It uses hashing plus asymmetric
encryption.
✔✔Which risk concept is defined as the probability that a threat will exploit a
vulnerability? - ✔✔Likelihood. Combined with impact to determine overall risk level
✔✔What is Residual Risk? - ✔✔The remaining risk after controls are implemented.
Organizations must decide if it's acceptable or needs further mitigation.
✔✔Which security policy defines how users and administrators should handle
information assets? - ✔✔Acceptable Use Policy (AUP). It outlines proper and improper
behaviors for system and data usage, reducing insider misuse.
✔✔What is the main purpose of a Security Policy Framework? - ✔✔To provide top-
down guidance through policies, standards, procedures, and guidelines that align
security with organizational goals.
✔✔Which document provides mandatory, specific security steps to meet a policy's
goals? - ✔✔Standards. They translate broad policy intent into concrete, measurable
requirements.
✔✔Which document provides step-by-step instructions for carrying out a task? -
✔✔Procedures. They ensure consistency and compliance with standards.
✔✔Which document offers recommended best practices but is not mandatory? -
✔✔Guidelines. They add flexibility and professional judgment to rigid standards.
✔✔What is Separation of Duties? - ✔✔A principle ensuring no single person can
complete a critical process alone. It prevents fraud and error by dividing responsibilities.
✔✔What is Least Privilege? - ✔✔Granting users only the minimum permissions
necessary to perform their duties, reducing the attack surface and accidental misuse.
✔✔What is Need-to-Know? - ✔✔Limiting access to information strictly to those who
require it for specific tasks, supporting confidentiality.
✔✔Which security concept enforces accountability for user actions? - ✔✔Auditing and
Logging. They create records for investigations and compliance verification.
, ✔✔What is a Threat? - ✔✔Any potential cause of an unwanted incident that may harm
a system or organization. Examples include hackers, insiders, or natural disasters.
✔✔What is a Vulnerability? - ✔✔A weakness or flaw in design, implementation, or
control that can be exploited by a threat. Patching and hardening reduce vulnerabilities.
✔✔What is Risk? - ✔✔Taking steps to reduce the probability or impact of a risk through
controls, training, or technology.
✔✔What is Risk Transfer? - ✔✔Shifting the financial impact of risk to a third party, such
as by purchasing cyber-insurance or outsourcing services.
✔✔What is Risk Mitigation? - ✔✔The likelihood that a threat will exploit a vulnerability
combined with the impact of that event. Risk = Threat × Vulnerability × Impact.
✔✔What is Risk Acceptance? - ✔✔A conscious decision to tolerate a risk when its cost
of mitigation outweighs the potential damage. Documented in management sign-off.
✔✔What is Risk Avoidance? - ✔✔Eliminating a risk by discontinuing the activity that
causes it (e.g., disabling a vulnerable feature).
✔✔Which type of attack floods a system with traffic to disrupt service? - ✔✔Denial-of-
Service (DoS) Attack. It exhausts resources, making systems unavailable to legitimate
users.
✔✔What is a Distributed Denial-of-Service (DDoS) attack? - ✔✔A coordinated attack
from multiple compromised systems (botnets) overwhelming a target with massive
traffic
✔✔What is Social Engineering? - ✔✔Manipulating people into revealing confidential
information or performing actions that compromise security. Common forms include
phishing and pretexting.
✔✔What is Phishing? - ✔✔A social-engineering attack that uses deceptive emails or
websites to trick users into divulging credentials or personal data.
✔✔What is Spear Phishing? - ✔✔A targeted phishing attack aimed at a specific
individual or organization. It often uses personal information to appear legitimate and
bypass suspicion
✔✔What is Whaling? - ✔✔A phishing attack that targets high-level executives or
decision makers ("big fish") to gain privileged access or financial control.
ANSWERS RATED A+
✔✔What is the purpose of a Digital Signature? - ✔✔To verify the sender's identity and
ensure message integrity and non-repudiation. It uses hashing plus asymmetric
encryption.
✔✔Which risk concept is defined as the probability that a threat will exploit a
vulnerability? - ✔✔Likelihood. Combined with impact to determine overall risk level
✔✔What is Residual Risk? - ✔✔The remaining risk after controls are implemented.
Organizations must decide if it's acceptable or needs further mitigation.
✔✔Which security policy defines how users and administrators should handle
information assets? - ✔✔Acceptable Use Policy (AUP). It outlines proper and improper
behaviors for system and data usage, reducing insider misuse.
✔✔What is the main purpose of a Security Policy Framework? - ✔✔To provide top-
down guidance through policies, standards, procedures, and guidelines that align
security with organizational goals.
✔✔Which document provides mandatory, specific security steps to meet a policy's
goals? - ✔✔Standards. They translate broad policy intent into concrete, measurable
requirements.
✔✔Which document provides step-by-step instructions for carrying out a task? -
✔✔Procedures. They ensure consistency and compliance with standards.
✔✔Which document offers recommended best practices but is not mandatory? -
✔✔Guidelines. They add flexibility and professional judgment to rigid standards.
✔✔What is Separation of Duties? - ✔✔A principle ensuring no single person can
complete a critical process alone. It prevents fraud and error by dividing responsibilities.
✔✔What is Least Privilege? - ✔✔Granting users only the minimum permissions
necessary to perform their duties, reducing the attack surface and accidental misuse.
✔✔What is Need-to-Know? - ✔✔Limiting access to information strictly to those who
require it for specific tasks, supporting confidentiality.
✔✔Which security concept enforces accountability for user actions? - ✔✔Auditing and
Logging. They create records for investigations and compliance verification.
, ✔✔What is a Threat? - ✔✔Any potential cause of an unwanted incident that may harm
a system or organization. Examples include hackers, insiders, or natural disasters.
✔✔What is a Vulnerability? - ✔✔A weakness or flaw in design, implementation, or
control that can be exploited by a threat. Patching and hardening reduce vulnerabilities.
✔✔What is Risk? - ✔✔Taking steps to reduce the probability or impact of a risk through
controls, training, or technology.
✔✔What is Risk Transfer? - ✔✔Shifting the financial impact of risk to a third party, such
as by purchasing cyber-insurance or outsourcing services.
✔✔What is Risk Mitigation? - ✔✔The likelihood that a threat will exploit a vulnerability
combined with the impact of that event. Risk = Threat × Vulnerability × Impact.
✔✔What is Risk Acceptance? - ✔✔A conscious decision to tolerate a risk when its cost
of mitigation outweighs the potential damage. Documented in management sign-off.
✔✔What is Risk Avoidance? - ✔✔Eliminating a risk by discontinuing the activity that
causes it (e.g., disabling a vulnerable feature).
✔✔Which type of attack floods a system with traffic to disrupt service? - ✔✔Denial-of-
Service (DoS) Attack. It exhausts resources, making systems unavailable to legitimate
users.
✔✔What is a Distributed Denial-of-Service (DDoS) attack? - ✔✔A coordinated attack
from multiple compromised systems (botnets) overwhelming a target with massive
traffic
✔✔What is Social Engineering? - ✔✔Manipulating people into revealing confidential
information or performing actions that compromise security. Common forms include
phishing and pretexting.
✔✔What is Phishing? - ✔✔A social-engineering attack that uses deceptive emails or
websites to trick users into divulging credentials or personal data.
✔✔What is Spear Phishing? - ✔✔A targeted phishing attack aimed at a specific
individual or organization. It often uses personal information to appear legitimate and
bypass suspicion
✔✔What is Whaling? - ✔✔A phishing attack that targets high-level executives or
decision makers ("big fish") to gain privileged access or financial control.
