Domain 2 – Section A Review: Risk Identification
If you misidentify the risk, everything that follows is wrong.
Domain 2 Section A tests whether you can:
- Separate threat, vulnerability, event, and loss
- Recognize control deficiencies
- Identify root causes
- Build complete risk scenarios
- Align risk identification to business impact
This review blends all of those.
Take your time.
10 scenario-based questions
Question 1
A customer support team receives a phishing email after missing required security training. The attacker uses the phishing email to gain unauthorized access to sensitive client data, resulting in client notification costs.
Which item is the risk event?
A. Lack of training
B. Phishing email
C. Client notification costs
D. Unauthorized access to sensitive client data
Answer & reasoning
Correct: D
A = contributing condition
B = threat action
C = loss result
D = risk event
Question 2
A. Design deficiency
B. Operating deficiency
C. Threat modeling gap
D. Asset classification error
Answer & reasoning
Correct: B
The control exists but is not functioning as intended.
Question 3
The industry experiences a surge in ransomware attacks targeting cloud platforms. The organization plans a cloud migration.
What should occur FIRST?
A. Reassess exposure considering the evolving threat landscape
B. Deploy additional endpoint protection
C. Escalate to regulators
D. Delay migration
Answer & reasoning
Correct: A
Threat landscape shift → structured reassessment before implementation.
Question 4
A. Weak password policy
B. External attacker
C. External attacker exploits weak password policy to gain unauthorized access to financial systems, resulting in reporting delays
D. Reporting delays
Answer & reasoning
Correct: C
Includes threat, vulnerability, event, and impact.
Question 5
A. Weak scanning tools
B. Lack of accountability structure
C. Inadequate threat modeling
D. High risk appetite
Answer & reasoning
Correct: B
Recurring issues often indicate structural accountability gaps.
Question 6
A. Weak ERM
B. Excessive tolerance
C. Poor asset classification
D. Narrow threat modeling scope
Answer & reasoning
Correct: D
Threat modeling must include internal and external sources.
Question 7
A vendor outage causes payroll delays and employee dissatisfaction.
What is the loss result?
A. Vendor outage
B. Payroll system failure
C. Employee dissatisfaction
D. Lack of due diligence
Answer & reasoning
Correct: C
A = threat event
B = risk event
C = loss result
D = contributing condition
Question 8
A. Threat source
B. Business impact
C. Vulnerability
D. Control deficiency
Answer & reasoning
Correct: A
The scenario lacks a defined threat source.
Question 9
A. Design deficiency
B. Operating deficiency
C. Risk event
D. Threat source
Answer & reasoning
Correct: A
If a control does not exist, it is a design deficiency.
Question 10
A. Replace individual failed systems
B. Assess systemic root cause and infrastructure lifecycle governance
C. Increase monitoring
D. Escalate to regulators
Answer & reasoning
Correct: B
Recurring failures suggest structural lifecycle management weakness, not isolated technical defects.
Section A master pattern
When answering Domain 2 Section A questions:
- Separate threat, vulnerability, event, and loss.
- Identify recurring patterns.
- Distinguish design vs operation.
- Look for root causes.
- Build complete, business-aligned scenarios.
- Reassess when the threat landscape changes.
If you fix the wrong layer, you will choose the wrong answer.