Questions And Correct Answers (Verified Answers)
Plus Rationale 2026 Q&A
SECTION 1: CORE SECURITY CONCEPTS & CIA TRIAD
1. What does the "C" in the CIA triad stand for?
A) Confidentiality
B) Compliance
C) Control
D) Certificate
Correct Answer: A | Rationale: The CIA triad is the foundation of information
security: Confidentiality (ensuring data is accessible only to authorized users),
Integrity (ensuring data is accurate and unaltered), and Availability (ensuring data
is accessible when needed).
2. Which CIA principle is violated when an attacker modifies a bank transaction
amount?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Correct Answer: B | Rationale: Integrity ensures that data has not been tampered
with or altered. Modifying a transaction amount violates integrity. Confidentiality
(A) is about unauthorized access; Availability (C) is about accessibility.
3. A Distributed Denial of Service (DDoS) attack primarily threatens which CIA
principle?
A) Confidentiality
B) Integrity
,C) Availability
D) Authentication
Correct Answer: C | Rationale: A DDoS attack overwhelms a system with traffic,
making it unavailable to legitimate users. This directly violates Availability.
Confidentiality and Integrity are not directly affected by DDoS.
4. Encryption is primarily used to protect which CIA principle?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Correct Answer: A | Rationale: Encryption transforms plaintext into ciphertext,
ensuring that only authorized parties with the correct key can read the data. This
protects Confidentiality. Hashing (not encryption) is used for Integrity.
5. What is the difference between a vulnerability and a threat?
A) A vulnerability is a potential danger; a threat is a weakness
B) A vulnerability is a weakness; a threat is a potential danger
C) They are the same thing
D) A vulnerability is a patch; a threat is a virus
Correct Answer: B | Rationale: A vulnerability is a weakness in a system (e.g.,
unpatched software, misconfiguration). A threat is a potential danger that could
exploit that vulnerability (e.g., a hacker, malware).
6. What is a risk in cybersecurity?
A) A weakness in a system
B) A potential danger
C) The likelihood of a threat exploiting a vulnerability and the resulting impact
D) A security control
Correct Answer: C | Rationale: Risk is the potential for loss or damage when a
threat exploits a vulnerability. It is calculated as: Risk = Threat × Vulnerability ×
Impact. It's not just the threat or vulnerability alone.
,7. What is an exploit?
A) A weakness in a system
B) A piece of software or code that takes advantage of a vulnerability
C) A security control
D) A type of firewall
Correct Answer: B | Rationale: An exploit is a specific piece of code, method, or
technique that takes advantage of a vulnerability to gain unauthorized access,
execute code, or cause harm. The vulnerability is the weakness (A).
8. What is the difference between a threat actor and an adversary?
A) They are the same thing
B) A threat actor is an individual/group; an adversary is an attack method
C) A threat actor is an attack; an adversary is a vulnerability
D) A threat actor is a system; an adversary is a network
Correct Answer: A | Rationale: Threat actor and adversary are often used
interchangeably. Both refer to an individual, group, or entity that carries out
malicious actions against systems, networks, or organizations.
9. What is defense-in-depth?
A) A single layer of security
B) Multiple layers of security controls to protect data and systems
C) A type of encryption
D) A type of firewall
Correct Answer: B | Rationale: Defense-in-depth is a cybersecurity strategy that
uses multiple, overlapping layers of security controls (e.g., firewalls, IDS,
encryption, access controls, training) so that if one layer fails, others still provide
protection.
10. What is the principle of least privilege?
A) Granting users all permissions they request
B) Granting users the minimum permissions necessary to perform their job
functions
, C) Granting users no permissions at all
D) Granting users permission based on their seniority
Correct Answer: B | Rationale: The principle of least privilege states that users
should be given only the minimum access rights required to perform their tasks.
This reduces the attack surface and limits the damage from compromised
accounts.
11. What is zero trust security?
A) A security model that assumes everything is trusted
B) A security model that does not trust anything by default, requiring continuous
verification
C) A type of antivirus software
D) A firewall configuration
Correct Answer: B | Rationale: Zero trust is a security framework that assumes no
user, device, or network is inherently trusted. It requires continuous
authentication, authorization, and validation for every access request, regardless
of location.
12. What is the difference between authentication and authorization?
A) Authentication verifies identity; authorization determines what a user can do
B) Authorization verifies identity; authentication determines what a user can do
C) They are the same thing
D) Authentication is for users; authorization is for systems
Correct Answer: A | Rationale: Authentication is the process of verifying who a
user is (e.g., using a password, biometrics). Authorization is the process of
determining what an authenticated user is allowed to do (e.g., read, write, delete).
13. Which of the following is an example of "something you are" in multi-factor
authentication?
A) Password
B) Smart card
C) Fingerprint
D) One-time PIN (OTP)