Effective CISSP Questions

You are implementing a mantrap to control the access to a highly regulated lab for the research of the COVID-19 vaccine to prevent piggybacking and tailgating. It uses two-pass authentication: an ID card for the external door and facial recognition for the other. Which of the following should be the concern at priority and addressed first? (Source: Wentz QOTD)
A. Refer to the product manual for the mean time to failure (MTTF)
B. Refer to the product manual for the default failure mode configuration
C. Refer to the product manual for low false rejection rate (FRR) configuration
D. Refer to the product manual for low false acceptance rate (FAR) configuration

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Refer to the product manual for the default failure mode configuration.

As a low false rejection rate (FRR) configuration leads to a high false acceptance rate (FAR), it’s not feasible for a highly regulated lab. The mean time to failure (MTTF) of the mantrap is a concern, but not a concern at priority compared with the configuration of default failure mode and false acceptance rate (FAR) in terms of urgency, importance, and risk.

Failure Mode

  • A failure mode identifies a specific failure scenario and elaborates on its cause and effects.
  • Failure modes and effects analysis (FMEA) is a technique for analyzing failure and can be treated as a risk assessment approach.

Fail-open and Fail-close

After potential failure modes are identified, how should a system behave when a failure occurs? The default failure mode configuration can be fail-open (fail-safe) or fail-close (fail-secure).

  • The mantrap can be configured fail-open so that people can evacuate from the building in case of an emergency.
  • The mantrap can be configured fail-close so that assets are protected or secured because of the door kept closed or locked.

Failure Mode as Management Decision

  • A management decision can be made in terms of the safety of people (fail-safe) or the security of assets (fail-secure) so that the mantrap can be configured as fail-open or fail-close.
  • Some may argue the safety of people and human life is the most valuable, so the mantrap should be configured fail-open or fail-safe.
  • Others may think from the perspective of the safe and the life of the public and insist the mantrap should be fail-close or fail-secure to prevent the virus from spreading.
  • No matter which decision is made, it is a significant concern that should be addressed before tuning the acceptable error rate.

FAR as Technical Practice

  • In contrast, adjustment of the false acceptance rate (FAR) is not mandatory as the default system configuration may meet the security requirements.
  • Moreover, the default failure mode configuration, as a management decision, should be considered at the planning phase, while the adjustment is a technical practice after implementation.

Failure modes and effects analysis (FMEA)


Failure mode

  • manner by which a failure is observed
  • Note 1 to entry: It generally describes the way the failure occurs and its impact on the operation of the system.
  • ISO/IEC 27031:2011 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity

Failure modes and effects analysis (FMEA)

  • structured procedure to determine equipment functions and functional failures, with each failure being assessed as to the cause of the failure and the effects of the failure on the system
  • Note 1 to entry: The technique may be applied to a new system based on analysis or an existing system based on historical data.
  • ISO 13372:2012, Condition monitoring and diagnostics of machines — Vocabulary


您正在實施一個捕人器(Mantrap)來對研究COVID-19疫苗的實驗室進行門禁管制,以防止夾帶(piggybacking)與尾隨(tailgating)。 它使用兩階段(two-pass)的身份驗證:用ID卡開外面的門,以臉部辨識開另一個門。 以下哪項應關注最重要,須優先處理?
A. 參閱產品手冊,查找有關平均故障時間(MTTF)
B. 參閱產品手冊,查找默認故障模式配置
C. 參閱產品手冊,查找低誤剔除率(FRR)的配置
D. 參閱產品手冊,查找低錯誤接受率(FAR)的配置


My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Buy Your Copy




Leave a Reply