Risk chapter quiz
Risk chapter quiz
No grades. The point is to push your thinking. Tap an option to see if it lands.
A CVSS 9.8 vulnerability is found on a system. What should the Risk verdict be?
CVSS scores severity in the abstract. The Risk verdict is about the specific environment, the specific asset, and the specific case. A CVSS 9.8 on an isolated, unused system is a different decision than the same score on a production asset.
Impact and likelihood are...
Impact is 'if this is real, how bad is it.' Likelihood is 'how confident are we that this is real.' Separating them prevents the common error of letting impact bias the likelihood judgment.
A case closes as a false-positive. What should the analyst record?
A closed false-positive is a finding too. Documenting the reasoning takes minutes and compounds into sharper detection over time. The methodology treats every closure as a contribution to institutional knowledge.
The Risk verdict should include...
The Risk output should be a one-page verdict that a future reviewer can read and understand without re-doing the analysis. Open questions and recommended response are part of what makes the verdict actionable and defensible.
The P.A.C.E. model structures Risk assessment through which four dimensions?
P.A.C.E. = Potential impact, Actor sophistication, Context, Escalation criteria. The model guides analysts through a structured four-step assessment, providing complementary depth to the RATM matrix.
Uncover surfaces new evidence that the adversary has reached a system outside the original Scope boundary. What does the methodology require?
ASSURED is iterative by design. When new evidence changes the shape of the investigation (lateral movement, new identities, sensitive assets), the methodology loops back to Scope with refined boundaries and repeats Uncover and Risk. Each loop increases investigative fidelity until clarity is achieved or escalation criteria are met.
A SOC sees the same false-positive alert fire repeatedly across multiple developer workstations. What is the right response?
A single false-positive is a closure with feedback. A pattern of false-positives on the same asset class is a signal about the detection stack itself. The methodology asks for a refined variant or a documented suppression with an owner and a review cadence, not for individual repeat closures or wholesale rule removal.
The Risk verdict for the Cursor IDE case (false-positive) reads 'low residual risk, no escalation required.' What value does the documented closure provide?
A documented false-positive closure is not a non-event. It is the artifact that defends the case if the same alert fires again, surfaces detection-engineering feedback, raises program-level questions (here, about coverage gaps in macOS PCAP and USB monitoring), and provides full context if the case needs to re-open. Clarity, not escalation, is the primary outcome of effective triage.