Domain 2 – Section A Review: IT Risk Identification

If you misidentify the risk, everything that follows is wrong.

Domain 2 Section A tests whether you can:

• Separate threat, vulnerability, event, and loss
• Recognize control deficiencies
• Identify root causes
• Build complete risk scenarios
• Align risk identification to business impact

This review blends all of those.

Take your time.

10 scenario-based questions

Question 1

An employee clicks a phishing email due to lack of security awareness training, resulting in unauthorized access to sensitive client data.

What is the risk event?

A. Lack of training
B. Phishing email
C. Unauthorized access to sensitive client data
D. Client notification costs

Question 2

An organization experiences repeated access violations. Investigation reveals that an access review process exists but is rarely performed.

What type of control issue exists?

A. Design deficiency
B. Operating deficiency
C. Threat modeling gap
D. Asset classification error

Question 3

The industry experiences a surge in ransomware attacks targeting cloud platforms. The organization plans a cloud migration.

What should occur FIRST?

A. Deploy additional endpoint protection
B. Reassess exposure considering the evolving threat landscape
C. Escalate to regulators
D. Delay migration

Question 4

Which of the following is the BEST risk scenario?

A. Weak password policy
B. External attacker
C. External attacker exploits weak password policy to gain unauthorized access to financial systems, resulting in reporting delays
D. Reporting delays

Question 5

Critical vulnerabilities are identified regularly, but remediation is inconsistent due to unclear ownership.

What is the MOST significant root cause?

A. Weak scanning tools
B. Inadequate threat modeling
C. Lack of accountability structure
D. High risk appetite

Question 6

An organization focuses exclusively on external attackers while ignoring privileged insider access.

What risk identification weakness exists?

A. Weak ERM
B. Narrow threat modeling scope
C. Excessive tolerance
D. Poor asset classification

Question 7

A vendor outage causes payroll delays and employee dissatisfaction.

What is the loss result?

A. Vendor outage
B. Payroll system failure
C. Employee dissatisfaction
D. Lack of due diligence

Question 8

A risk scenario reads: “Unpatched servers may result in data breach.”

What is missing?

A. Threat source
B. Business impact
C. Vulnerability
D. Control deficiency

Question 9

A control designed to prevent unauthorized access does not exist.

This represents:

A. Operating deficiency
B. Design deficiency
C. Risk event
D. Threat source

Question 10

Multiple minor system failures occur over time, revealing an outdated infrastructure environment that has not been refreshed due to budget constraints.

What should be evaluated FIRST?

A. Replace individual failed systems
B. Increase monitoring
C. Assess systemic root cause and infrastructure lifecycle governance
D. Escalate to regulators

Section A master pattern

When answering Domain 2 Section A questions:

• Separate threat, vulnerability, event, and loss.
• Identify recurring patterns.
• Distinguish design vs operation.
• Look for root causes.
• Build complete, business-aligned scenarios.
• Reassess when the threat landscape changes.

If you fix the wrong layer, you will choose the wrong answer.