# Quiz

## Question 1

What is risk?

<details>

<summary>Solution</summary>

The happening of an event is uncertain, with possibility to bring positive and/or negative impacts

</details>

## Question 2

In the lecture video 1.2, Prof. Dias mentioned that internal man-made threat is more serious than an external man-made threat. Why is it so?

<details>

<summary>Solution</summary>

Internal man-made threat is relatively more difficult to be prevented as if a staff is intended to steal the digital assets which he / she is being granted with corresponding access rights to such digital assets according to his/her roles

</details>

## Question 3

When determine the risk level of an event, which two elements of such event should be assessed?

<details>

<summary>Solution</summary>

“Impact” and “Probability”

</details>

## Question 4

When making decisions to mitigate a risk, which of the following statement is NOT correct?

<details>

<summary>Solution</summary>

Risk can ultimately be eliminated by putting in the maximum level of controls

</details>

## Question 5

After the remaining risk is being transferred to third party after the completion of risk mitigation exercise, which of the following statement is correct?

<details>

<summary>Solution</summary>

The same risk level remains, however the impact posses by the relevant event will be compensated by the third party

</details>

## Question 6

When is the best time to conduct risk re-evaluation against an activity?

<details>

<summary>Solution</summary>

When any of these conditions happen, risk re-evaluation should be conducted

</details>

## Question 7

Which of the following is a detective control to address unauthorized network access?

<details>

<summary>Solution</summary>

Reviewing of system access log regularly

</details>

## Question 8

Preventive controls could prevent a risk being realized. Should we only implement preventive controls?

<details>

<summary>Solution</summary>

No – none of the preventive, detective and corrective controls could solely help to mitigate risk effectively, and not everything risk can be prevented or detected so implementing a combination of these types of controls would provide the best protection to the organisation

</details>

## Question 9

What is the control category of “data backup and restoration”?

<details>

<summary>Solution</summary>

Both preventive and corrective

</details>

## Question 10

Your company is looking into the feasibility of building the data center near the coast and your supervisor would like you to conduct a risk assessment exercise. How would you get started?

<details>

<summary>Solution</summary>

Use the risk matrix to calculate the impact and probability of the risk

</details>