Effective CISSP Questions

You work for a public traded company. Which of the following has the highest risk exposure?
A. The CISO reports to the COO instead of the CEO.
B. The company website gets defaced through SQL injection.
C. The official financial reports for shareholders are disclosed.
D. One of the RAID disks for the core database becomes malfunctioning.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. The company website gets defaced through SQL injection.

ISO 31000
ISO 31000

This question’s core concept is how you analyze risk, either qualitatively or quantitatively, to determine the risk exposure, expressed in monetary value, score, scale, opinion, you name it. I suggest B as the answer based on my “risk criteria” used to evaluate the risk exposure. There is no absolutely correct answer. If you can justify your response with the concept of risk analysis and risk exposure, well-justified responses are good answers.

What is Risk?

Risk Exposure is the “potential loss presented to an individual, project, or organization by a risk.” (ISO 16085:2006) “Potential” is the uncertainty of risk, while “loss” is the effect of risk.

Risk Analysis (Image Credit: Steven Imke)

Disclosure of Financial Reports

The public traded companies shall disclose the official financial reports to shareholders to comply with legal and regulatory requirements. As a result, option C will not be identified as a risk. The following are actual reports of Amazon:

Security Function

Option A implies an organizational restructuring to reposition the security function. It can be an organization-level risk that has a low possibility of occurrence and reporting to the COO, generally speaking, may bring a positive effect.

Significant decisions about the security function, for example, are the position, reporting line, and the role and responsibilities of CISO. The best arrangement is to have the CISO report to the CEO directly. The following are alternative arrangements:

  • COO: It’s a good choice as well because the COO understands the business and operations most. With his or her supervision, the CISO can do a good job in integrating security into business processes.
  • CIO: The CISO has a good command of information technologies, but is subject to a conflict of interest.
  • Audit committee: It’s not a good option because the audit function shall be independent.

RAID Incident

If one of the RAID disks for the core database becomes malfunctioning, the system can still operate with lower performance. It’s an IT incident that impacts service level that has moderate likelihood and low impact from my point of view. It can be rated as low risk with a scale of Very High, High, Moderate, Low, Very low.

Website Defacement

If the company website gets defaced, it can result in organizational reputation damage, data or privacy breach, credential compromise, internal lateral movement, and so on, and so forth. It has a moderate likelihood and high impact.

NIST Generic Risk Model (NIST SP 800-30 R1)
NIST Generic Risk Model (NIST SP 800-30 R1)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您在一家上市公司工作。 下列哪個曝險值(risk exposure)最高?
A. 資安長(CISO)向首席運營官(COO)而不是首席執行官(CEO)報告。
B. 公司網站通過SQL注入被破壞。
C. 給股東的正式財務報告被掲露了。
D. 核心數據庫的RAID磁盤之一出現故障。

Leave a Reply