IIBA Certificate in Cybersecurity Analysis IIBA-CCA CCA Exam Questions

Answer : C

Multiple sources that can harm an organization's systems are classified as threats. In cybersecurity risk terminology, a threat is any circumstance, event, actor, or condition with the potential to adversely impact confidentiality, integrity, or availability. Threats can be human (external attackers, insiders, third-party compromises), technical (malware, ransomware campaigns, exploit kits), operational (misconfigurations, weak processes, inadequate monitoring), or environmental (power disruption, natural disasters). This differs from a breach, which is the realized outcome where unauthorized access or disclosure has already occurred. It also differs from hacker, which refers to one type of threat actor rather than the broader category of potential harm. Ransomware is a specific threat type (malware that encrypts data and demands payment), not a general term for multiple sources of harm. Cybersecurity documents commonly pair ''threats'' with ''vulnerabilities'' and ''controls'': threats exploit vulnerabilities to create risk; controls reduce either the likelihood of exploitation or the impact if exploitation occurs. Identifying ''multiple sources which can harm systems'' is essentially threat identification---an early and ongoing step in risk management used to inform security architecture, monitoring, and incident preparedness. Therefore, the correct concept is threat.

Answer : A

The OSI Session Layer (Layer 5) is responsible for establishing, managing, and terminating sessions between communicating applications. A session is the logical dialogue that allows two endpoints to coordinate how communication starts, how it continues, and how it ends. This includes controlling the ''conversation'' state, such as who can transmit at what time, maintaining the session so it stays active, and closing it cleanly when it is no longer needed. Because of this, option A best matches the Session Layer's core responsibilities.

In contrast, presenting data to the receiver in a recognizable form is the job of the Presentation Layer (Layer 6), which deals with formatting, encoding, compression, and often cryptographic transformation concepts. Adding appropriate network addresses to packets aligns to the Network Layer (Layer 3), where logical addressing and routing decisions occur, typically associated with IP addressing. Transmitting the data on the medium is handled at the Physical Layer (Layer 1), which concerns signals, cabling, and the actual movement of bits.

From a cybersecurity perspective, session management is important because weaknesses can enable session hijacking, replay, or fixation, especially when session identifiers are predictable, not protected, or not properly invalidated. Controls commonly include strong authentication, secure session token generation, timeout and reauthentication rules, and proper session termination to reduce exposure.

Answer : D

An organization's risk management strategy is a governance-level artifact that sets direction for how risk is managed across the enterprise. A core requirement in cybersecurity governance frameworks is clear accountability, including executive ownership for risk decisions that affect the whole organization. Assigning an executive responsible for risk management establishes authority to set risk appetite and tolerance, coordinate risk activities across business units, resolve conflicts between competing priorities, and ensure risk decisions are made consistently rather than in isolated silos. This executive role also supports oversight of risk reporting to senior leadership, ensures resources are allocated to address material risks, and drives integration between cybersecurity, privacy, compliance, and operational resilience programs. Without an accountable executive function, risk management often becomes fragmented, with inconsistent scoring, uneven control implementation, and unclear decision rights for accepting or treating risk.

Option A can be part of a strategy, but the question asks what should be addressed, and the most critical foundational element is enterprise accountability and governance. Option B is too granular for a strategy; selecting controls for each IT asset belongs in security architecture, control baselines, and system-level risk assessments. Option C is typically handled in incident response and breach management plans and procedures, which are operational documents derived from strategy but not the strategy itself. Therefore, the best answer is the assignment of an executive responsible for risk management across the organization.

Answer : A

Social engineering is the broad technique attackers use when they manipulate human psychology---such as trust, fear, urgency, curiosity, sympathy, authority, or the desire to be helpful---to persuade someone to take an action that benefits the attacker. The key idea in the question is ''exploit human emotions and connection,'' which is the defining characteristic of social engineering. Rather than breaking a system through purely technical means, the attacker targets the person as the easiest path to access, credentials, sensitive information, or physical entry.

Phishing is a specific subtype of social engineering that typically uses email, text messages, or fake websites to trick users into clicking links, opening attachments, or entering credentials. Tailgating is another subtype focused on physical access, where an attacker follows an authorized person into a restricted area by leveraging politeness or social pressure. Malware is malicious software used to compromise systems; it can be delivered through social engineering, but malware itself is not the human-manipulation technique.

Cybersecurity control guidance treats social engineering as a major risk because it can bypass technical protections by causing legitimate users to unintentionally grant access. Common defenses include awareness training, verification procedures (call-back and out-of-band confirmation), least privilege, multi-factor authentication, strong email and web filtering, and clear reporting channels so suspicious requests can be escalated quickly.

Answer : B

KRIs and KPIs are only useful when they are handled as part of a disciplined measurement lifecycle. Cybersecurity governance guidance emphasizes three essential activities: collect, analyze, and report. Organizations must first collect KRI and KPI data consistently from reliable sources such as vulnerability scanners, SIEM logs, IAM systems, ticketing platforms, and asset inventories. Collection requires defined metric owners, clear definitions, standardized time windows, and data quality checks so results are comparable across periods and business units.

Next, organizations analyze the data to understand what it means for risk and performance. Analysis includes trending over time, comparing results to targets and thresholds, correlating indicators to business outcomes, identifying outliers, and determining root causes. For KRIs, analysis highlights rising exposure or control breakdowns such as increasing critical vulnerabilities beyond SLA. For KPIs, analysis evaluates operational effectiveness such as mean time to detect and mean time to remediate.

Finally, organizations report results to the right audiences with the right level of detail. Reporting supports accountability by assigning actions, tracking remediation progress, and escalating when thresholds are exceeded. It also supports decision making by showing where investment, staffing, or control changes will have the greatest risk-reduction and performance impact. The other options are not standard, auditable metric management activities and do not reflect the established lifecycle used in cybersecurity measurement programs.

Answer : B

SSL/TLS relies on digital certificates to support encrypted communications and to help users trust that they are connecting to the correct server. A TLS certificate is typically an X.509 certificate that binds a public key to an identity, such as a domain name, and is digitally signed by a trusted issuer. In most public internet use cases, these certificates are issued by Certificate Authorities that browsers and operating systems already trust through pre-installed root certificates. Because of that trust chain, organizations commonly obtain certificates by purchasing or otherwise obtaining them from certificate authorities, which is why option B is correct.

During the TLS handshake, the server presents its certificate to the client. The client validates the certificate's signature chain, validity period, and that the certificate matches the domain being accessed. Once validated, TLS establishes session keys used to encrypt data in transit and protect it from eavesdropping and tampering. Certificates themselves are not ''similar to unencrypted data,'' and they are not specific to thumb-drive storage; they are used to secure network communications. Certificates also do not primarily provide ''authorization'' to access data. Authorization is typically enforced by application and access control mechanisms after authentication. Certificates support authentication of endpoints and enable secure key exchange, which are prerequisites for secure transport encryption and trustworthy connections.

Answer : B

Incident management is a structured operational process used to ensure security issues are handled consistently, evidence is preserved, impact is reduced, and improvements are implemented to prevent recurrence. The phases listed in option B match how incident management is commonly documented in operational security programs.

Reporting is the entry point: users, monitoring tools, and service desks raise alerts or tickets, capturing what happened, when, and initial impact. Clear reporting channels and defined severity criteria ensure incidents are escalated quickly and handled by the right teams. Investigation follows, focusing on fact-finding and evidence collection such as logs, endpoint telemetry, network traces, and user statements. Assessment determines scope, business impact, affected assets and data, and the likelihood of continuing compromise. This step drives prioritization and selects the appropriate handling path.

Corrective actions implement containment, eradication, and recovery activities, such as isolating hosts, disabling compromised accounts, applying patches, rotating credentials, restoring from backups, and validating system integrity. Corrective actions also include communications, documentation, and coordination with legal, privacy, and business stakeholders when required. Finally, review is the lessons-learned phase that updates playbooks, improves detections, closes control gaps, and ensures root causes are addressed through durable fixes rather than temporary workarounds.

The other options do not represent standard incident management phases: A is a marketing model, while C and D are incomplete or mis-ordered compared to established incident management lifecycle documentation.