Domain 2 – Section A Review: IT Risk Identification
If you misidentify the risk, everything that follows is wrong.
Domain 2 Section A tests whether you can:
- Separate threat, vulnerability, event, and loss
- Recognize control deficiencies
- Identify root causes
- Build complete risk scenarios
- Align risk identification to business impact
This review blends all of those.
Take your time.
10 scenario-based questions
Question 1
A. Lack of training
B. Phishing email
C. Client notification costs
D. Unauthorized access to sensitive client data
Answer & reasoning
Correct: D
A = contributing condition
B = threat action
C = risk event
D = loss result
Question 2
A. Design deficiency
B. Operating deficiency
C. Threat modeling gap
D. Asset classification error
Answer & reasoning
Correct: B
The control exists but is not functioning as intended.
Question 3
The industry experiences a surge in ransomware attacks targeting cloud platforms. The organization plans a cloud migration.
What should occur FIRST?
A. Reassess exposure considering the evolving threat landscape
B. Deploy additional endpoint protection
C. Escalate to regulators
D. Delay migration
Answer & reasoning
Correct: A
Threat landscape shift → structured reassessment before implementation.
Question 4
A. Weak password policy
B. External attacker
C. External attacker exploits weak password policy to gain unauthorized access to financial systems, resulting in reporting delays
D. Reporting delays
Answer & reasoning
Correct: C
Includes threat, vulnerability, event, and impact.
Question 5
A. Weak scanning tools
B. Lack of accountability structure
C. Inadequate threat modeling
D. High risk appetite
Answer & reasoning
Correct: B
Recurring issues often indicate structural accountability gaps.
Question 6
A. Weak ERM
B. Excessive tolerance
C. Poor asset classification
D. Narrow threat modeling scope
Answer & reasoning
Correct: D
Threat modeling must include internal and external sources.
Question 7
A vendor outage causes payroll delays and employee dissatisfaction.
What is the loss result?
A. Vendor outage
B. Payroll system failure
C. Employee dissatisfaction
D. Lack of due diligence
Answer & reasoning
Correct: C
A = threat event
B = risk event
C = loss result
D = contributing condition
Question 8
A. Threat source
B. Business impact
C. Vulnerability
D. Control deficiency
Answer & reasoning
Correct: A
The scenario lacks a defined threat source.
Question 9
A. Design deficiency
B. Operating deficiency
C. Risk event
D. Threat source
Answer & reasoning
Correct: A
If a control does not exist, it is a design deficiency.
Question 10
A. Replace individual failed systems
B. Assess systemic root cause and infrastructure lifecycle governance
C. Increase monitoring
D. Escalate to regulators
Answer & reasoning
Correct: B
Recurring failures suggest structural lifecycle management weakness, not isolated technical defects.
Section A master pattern
When answering Domain 2 Section A questions:
- Separate threat, vulnerability, event, and loss.
- Identify recurring patterns.
- Distinguish design vs operation.
- Look for root causes.
- Build complete, business-aligned scenarios.
- Reassess when the threat landscape changes.
If you fix the wrong layer, you will choose the wrong answer.