Pass the IIBA Cybersecurity Analysis IIBA-CCA Questions and answers with CertsForce

Cloud service models are commonly described as stacked layers of responsibility.Software as a Servicedelivers a complete application to the customer, while the provider manages the underlying platform and infrastructure.Platform as a Servicesits one level below SaaS: it provides the managed platform needed to build, deploy, and run applications without the customer having to manage the underlying servers and most core system software.

A defining feature of PaaS is that the provider supplies and manages key platform components such as theoperating system, runtime environment, middleware, web/application servers, and often supporting services like managed databases, messaging, scaling, and patching of the platform layer. The customer typically remains responsible for their application code, configuration, identities and access in the application, data classification and protection choices, and secure development practices. This shared responsibility model is central in cybersecurity guidance because it determines which security controls the provider enforces by default and which controls the customer must implement.

Given the answer options,Operating Systemis the best match because it is a core part of the platform layer that PaaS customers generally do not manage directly. Load balancers and storage can be consumed in multiple models, including IaaS and PaaS, and subscriptions describe a billing approach, not the technical service layer. Therefore, option D correctly reflects what PaaS provides compared to SaaS.

Bottom of Form

Opportunity cost is a core enterprise-risk and economics concept: when an organization allocates limited resources to one activity, it reduces what is available for other priorities. Increasing cybersecurity typically requiresmoney, skilled personnel time, executive attention, tooling, and operational capacity. Those resources could otherwise be used for revenue-generating work such as new product features, customer experience improvements, system modernization, market expansion, or process automation. That tradeoff is exactly what option D describes, making it the correct answer.

Cybersecurity documents stress that risk treatment decisions must balancerisk reductionagainstcost, feasibility, and business impact. While stronger security can reduce the likelihood and impact of incidents, it can also introduce friction (extra approval steps, stronger authentication, segmentation), slow delivery when changes require additional reviews, and demand ongoing operational effort (monitoring, patching, vulnerability remediation, access recertification, incident response testing). These impacts are not arguments against security; they are the reason governance processes prioritize controls based on the most critical assets, highest-risk threats, and compliance requirements.

Option A may be true in some cases, but it describes a direct cost, not the broader economic concept of opportunity cost. Option B is a trend statement and not the definition. Option C is incorrect because security spend is not always less than breach risk; organizations must evaluate cost-benefit and acceptable residual risk rather than assume a universal rule.

NIST SP 800-30 describes risk using a classic risk model:risk is a function of likelihood and impact. In this model, a threat-source may exploit a vulnerability, producing a threat event that results in adverse consequences. Thelikelihoodcomponent reflects how probable it is that a threat event will occur and successfully cause harm, considering factors such as threat capability and intent (or in non-adversarial cases, the frequency of hazards), the existence and severity of vulnerabilities, exposure, and the strength of current safeguards. However, likelihood alone does not define risk; a highly likely event that causes minimal harm may be less important than a less likely event that causes severe harm.

The second required component is theimpact—the magnitude of harm to the organization if the adverse event occurs. Impact is commonly evaluated across mission and business outcomes, including financial loss, operational disruption, legal or regulatory consequences, reputational damage, and loss of confidentiality, integrity, or availability. This is why option D is correct: NIST’s definition explicitly ties the risk expression tothe resulting impact on the organization.

The other options may influence likelihood assessment or control selection, but they are not the missing definitional element. Detection probability and control assurance relate to monitoring and governance; predisposing conditions can shape likelihood. None replace the

AnAccess Control List (ACL)is a structured, system-maintained list of authorization rules that specifieswho or what is allowed to access a resourceand what actions are permitted. In many operating systems, network devices, and applications, an ACL functions as an internal table that maps identities such as user IDs, group IDs, service accounts, or even device/terminal identifiers to permissions like read, write, execute, modify, delete, or administer. When a subject attempts to access an object, the system consults the ACL to determine whether the requested operation should be allowed or denied, enforcing the organization’s security policy at runtime.

The description in the question matches the classic definition of an ACL as a computerized table of access rules tied to login IDs and sometimes the originating endpoint or terminal context. ACLs are central to implementingdiscretionary access controland are also widely used in networking (for example, permitting or denying traffic flows based on source/destination and ports) and file systems (controlling access to folders and files).

AnAccess Control Entry (ACE)is only a single line item within an ACL (one rule for one subject). A “Relational Access Database” is not a standard security control term for authorization tables. A “Directory Management System” manages identities and groups, but it is not the same as the enforcement list attached to a specific resource. Therefore, the correct answer isAccess Control List.

When analyzing a web-based business environment for potential cost savings, the Business Analyst must account forapplication vulnerabilitiesbecause they directly affect the organization’s exposure to cyber attack and the true cost of operating a system. Vulnerabilities are weaknesses in application code, configuration, components, or dependencies that can be exploited to compromise confidentiality, integrity, or availability. In web environments, common examples include insecure authentication, injection flaws, broken access control, misconfigurations, outdated libraries, and weak session management.

Cost-saving recommendations frequently involve consolidating platforms, reducing tooling, lowering support effort, retiring controls, delaying upgrades, or moving to shared services. Without including known or likely vulnerabilities, the analysis can unintentionally recommend changes that reduce preventive and detective capability, increase attack surface, or extend the time vulnerabilities remain unpatched. Cybersecurity governance guidance emphasizes that technology rationalization must consider security posture: vulnerable applications often require additional controls (patching cadence, WAF rules, monitoring, code fixes, penetration testing, secure SDLC work) that carry ongoing cost. These costs are part of the system’s “total cost of ownership” and should be weighed against proposed savings.

While impact severity and threat likelihood are important for overall risk scoring, the question asks what risk factor must be included when documenting the current state of a web-based environment. The most essential factor that ties directly to the environment’s condition and drives remediation cost and exposure isapplication vulnerabilities.

ITIL is a widely adopted framework that definesbest-practice guidance for IT Service Management. Its focus is on how organizations design, deliver, operate, and continually improve IT services so they reliably support business outcomes. In cybersecurity and service delivery documentation, ITIL is often referenced because strong service management processes are foundational to secure operations. For example, ITIL practices such as incident management, problem management, change enablement, configuration management, and service continuity help ensure security controls are implemented consistently and that deviations are identified, tracked, and corrected.

ITIL does not define how hardware systems interface securely with one another; that is more aligned with architecture standards, security engineering, and network or platform design frameworks. It also does not prescribe a universal set of components for every technology system; that belongs to reference architectures and enterprise architecture standards. Likewise, ITIL is not primarily a security requirements standard. While ITIL supports security governance through practices like risk management, access management, and information security management integration, it does not itself serve as a mandatory security control catalog.

From a cybersecurity perspective, ITIL contributes by promoting repeatable processes, clear roles and responsibilities, measurable service levels, and continual improvement. These elements reduce operational risk, improve response effectiveness, and strengthen accountability—key requirements for maintaining confidentiality, integrity, and availability in production environments.

Multiple attempts by unauthorized users to access confidential data most closely aligns with activity from a hacker, meaning an unauthorized actor attempting to gain access to systems or information. Cybersecurity operations commonly observe this pattern as repeated login failures, password-spraying, credential-stuffing, brute-force attempts, repeated probing of restricted endpoints, or abnormal access requests against protected repositories. While “user” is too generic and could include authorized individuals, the question explicitly states “unauthorized users,” pointing to malicious or illegitimate actors. “Admin” and “IT Support” are roles typically associated with legitimate privileged access and operational troubleshooting; repeated unauthorized access attempts from those roles would be atypical and would still represent compromise or misuse rather than normal operations. Cybersecurity documentation often classifies these attempts as indicators of malicious intent and potential precursor events to a breach. Controls recommended to counter such activity include strong authentication (multi-factor authentication), account lockout and throttling policies, anomaly detection, IP reputation filtering, conditional access, least privilege, and monitoring of authentication logs for patterns across accounts and geographies. The key distinction is that repeated unauthorized attempts represent hostile behavior by an external or rogue actor, which is best described as a hacker in the provided options.

Risk appetiteis the amount and type of risk an organization is willing to pursue or retain in order to achieve its objectives. Cybersecurity and enterprise risk management guidance treats risk appetite as a strategic input because it shapes decision-making across portfolios, programs, and day-to-day operations. When risk appetite isquantifiedthrough measurable statements and thresholds, leaders can compare proposed initiatives against agreed limits and make consistent trade-offs between speed, cost, innovation, and protection.

If an organization does not quantify risk appetite, it often defaults to inconsistent behavior: some teams become overly cautious and reject beneficial initiatives, while others take uncontrolled risk because there is no clear boundary. Both outcomes can cause missed opportunities. Over-caution can delay digital transformation, cloud adoption, automation, and new customer capabilities. Under-defined boundaries can also lead to surprise losses, regulatory issues, and unplanned remediation that consumes budget and time—reducing the organization’s ability to execute strategy.

Quantified risk appetite enables practical governance: it guides which risks can be accepted, which require mitigation, and which must be escalated for executive decision. It also supports prioritization of security investments by focusing resources on risks that exceed tolerance and allowing faster approval for activities that fall within appetite. In short, risk appetite is the strategic “north star” that aligns cybersecurity risk-taking with business goals, making option D the correct choice.

Cybersecurity controls are the safeguards an organization implements to reduce risk to an acceptable level. In standard risk-management language, a control is not limited to a one-time review; it is an ongoing capability that is designed, implemented, and operated to prevent, detect, or correct unwanted events. That capability is typically delivered throughtechnology solutions(technical controls) andprocess solutions(administrative or procedural controls), which is why option B is correct.

Technology controls include items like firewalls, endpoint protection, encryption, multifactor authentication, logging and monitoring, vulnerability scanning, secure configuration baselines, and data-loss prevention. These controls directly enforce security requirements through system behavior and automation, helping reduce the likelihood or impact of threats.

Process controls include policies, standards, access approval workflows, segregation of duties, change management, secure development practices, incident response playbooks, training, and periodic access recertification. These ensure people consistently perform security-critical tasks correctly and create accountability and repeatability.

Options C and D describe possible outcomes or limitations (controls may not fully eliminate risk and may only mitigate part of it), but they are not what controlsinclude. Option A is incorrect because “only initial reviews” are insufficient; reviews can be a component of a control, but effective controls require sustained operation, evidence, and reassessment as systems, threats, and business needs change.

Information classificationis the formal process of evaluating the data an organization creates or holds and assigning it a sensitivity level so the organization can apply the right safeguards. Cybersecurity policies describe classification as the foundation for consistent protection because it links thepotential harm from unauthorized disclosure, alteration, or lossto specific handling and control requirements. Typical classification labels include Public, Internal, Confidential, and Restricted, though names vary by organization. Once data is classified, required protections can be specified, such as encryption at rest and in transit, access restrictions based on least privilege, approved storage locations, monitoring requirements, retention periods, and secure disposal methods.

This is not avulnerability assessment, which focuses on identifying weaknesses in systems, applications, or configurations. It is also not aninternal audit, which evaluates whether controls and processes are being followed and are effective. Option D,information categorization, is often used in some frameworks to describe assigning impact levels (for example, confidentiality, integrity, availability impact) to information types or systems, mainly to drive control baselines. While related, the question specifically emphasizes assessing data and deciding thelevel of protectionbased on risk from disclosure, which aligns most directly withclassificationprograms used to govern labeling and handling rules across the organization.

A strong classification program improves security consistency, supports compliance, reduces accidental exposure, and helps prioritize controls for the most sensitive information assets.