INFORMATION TECHNOLOGY FOR MANAGEMENT DIGITAL STRATEGIES FOR INSIGHT ACTION AND SUSTAINABLE PERFORMANCE 10TH EDITION TURBAN SOLUTIONS MANUAL
Full download at link:
Test bank: https://testbankpack.com/p/test-bank-for-informationtechnology-for-management-digital-strategies-for-insight-action-andsustainable-performance-10th-edition-turban-pollard-and-wood1118897781-9781118897782/
Solution Manual: https://testbankpack.com/p/solution-manual-forinformation-technology-for-management-digital-strategies-for-insightaction-and-sustainable-performance-10th-edition-turban-pollard-andwood-1118897781-9781118897782/
Chapter 5: CyberSecurity and Risk Management
Test Bank
Multiple Choice
1. The discount retailer Target suffered a hacker attack during the fourth quarter of 2013 (4Q2013) that exposed customer account information. Which of the following was not an impact of Target’s hacker attack and data breach?
a. 4Q 2013 profit dropped 46% and sales revenue fell 5.3 % after breach was disclosed.
b. Gartner estimated the cost of the breach from $400 million to $450 million
c. Target faced 2 lawsuits one related to privacy invasion and one for negligence.
d. The incident scared shoppers away, affecting the company’s profits throughout 2014.
Answer: C
Difficulty: Hard
Section Ref: Opening Case 5.1AACSB: Dynamics of the global economy
2. Almost half of the 2013 breaches occurred in ________, where the largest number of records was exposed more than 540 million data records or 66 percent.
a. Asia
b. China
c. Europe
d. The United States
Answer: D
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
3. Negative consequences of lax cybersecurity that companies tend to face include all of the following except ________.
a. Damaged brands and reputations
b. Criminal charges
c. Financial penalties
d. Customer backlash
Answer: B
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
4. The main cause of data breaches is ________, which is so successful because of ________ when management does not do enough to defend against cyberthreats.
a. Hacking; highly motivated hackers
b. Hacking; negligence
c. Malware; BYOD
d. Malware; negligence
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
5. Boeing’s Black smartphone is secure because it ________.
a. Is self-destructing if tampered with.
b. Uses dual SIM cards
c. Communicates via satellite
d. Is an Android device
Answer: A
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
6. A(n) ________ attack bombards a network or website with traffic to crash it and leave it vulnerable to other threats.
a. advanced persistent threat
b. distributed denial-of-service
c. malware
d. phishing
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
7. Attacks ________ could significantly disrupt the functioning of government and business and trigger cascading effects far beyond the targeted sector and physical location of the incident.
a. By hacktivists
b. By hackers
c. On critical infrastructure
d. On industrial control systems
Answer: C
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
8. Which of the following represents a cybersecurity concern about employees using their own smartphones for work purposes?
a. Employees will spend too much time playing games or using entertainment and recreation apps, thus reducing productivity.
b. Managers will be unable to monitor the time spent on personal calls made during work hours.
c. Many personal smartphones do not have anti-malware or data encryption apps, creating a security problem with respect to any confidential business data stored on the device.
d. Consumer-quality equipment are more likely to break or malfunction than enterprise quality devices.
Answer: C
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
9. ________ is also known as human hacking tricking users into revealing their credentials and then using them to gain access to networks or accounts.
a. Android-hacking
b. BYOD
c. Hacktivism
d. Social engineering
Answer: D
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
10. Experts believe the three greatest cybersecurity dangers over the next few years will involve all of the following except __________.
a. persistent threats
b. POS attacks
c. mobile computing
d. the use of social media
Answer: B
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
11. ____________ is/are defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
a. Critical infrastructure
b. Cyber architecture
c. National networks
d. Strategic assets
Answer: A
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
12. ____ tactics are used by hackers and corporate spies to trick people into revealing login information or access codes.
a. Social engineering
b. Backdoor
c. BYOD
d. Password cracking
Answer: A
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
13. A stealth network attack in which an unauthorized person gains access to a network and remains undetected for a long time is referred to as a(n) ________ attack.
a. registry denial
b. advanced persistent threat
c. DDOS
d. hacktivist
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
14. Cybercrime surveys have reported each of the following trends or findings except ________.
a. security incidents increased 33% despite implementation of security practices
b. current cybersecurity technologies and policies are simply not keeping pace with fast-evolving threats.
c. Many threats and challenges that organizations face today were unimaginable 10 years ago.
d. Older threats such as fraud and identity theft have decreased significantly.
Answer: D
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Reflective thinking
15. A key of finding of the 2014 Global State of Information Security Survey was ________.
a. Too many companies are defending yesterday that is, they rely on yesterday’s cybersecurity practices that are ineffective at combating today’s threats.
b. Protecting all data at an equally high level is now practical and feasible.
c. Most companies implement stringent security policies before moving to cloud computing, but not before implementing BYOD.
d. APTs require a new information-protection model that focuses on preventing DDoS attacks.
Answer: A
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
16. Advanced persistent threat (APT) attackers want to ________.
a. create awareness for their causes
b. remain unnoticed so they can continue to steal data
c. conduct cyberwarfare
d. reveal weaknesses in business and government websites and then force them offline.
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
17. According to cybersecurity experts, most data breaches go unreported because corporate victims fear that disclosure would damage their stock price, or because ________.
a. they want to hide the attack from the government
b. they never knew they were hacked in the first place
c. they want to cover up the intrusion
d. they do not have to report them.
Answer: B
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
18. One source of cybersecurity threats today are who breach networks in an attempt to gain media attention or for their cause
a. Hacktivists
b. Political criminals
c. Industrial spies
d. Social engineers
Answer: A
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
19. A(n) ________ is a hacker who quietly attempts to breach secure networks looking for trade secrets or proprietary information.
a. Hacktivist
b. Political criminal
c. profit-motivated cybercriminalIndustrial spy
d. Identity thief
Answer: C
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Reflective thinking
20. One of ________ specialties is finding websites with poor security, and then stealing and posting information from them online.
a. LulzSec’s.
b. RSA’s
c. Fraudsters’
d. Botmasters’
Answer: A
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
21. LulzSec and Anonymous are examples of that have claimed responsibility for high profile attacks designed to make a political statement, embarrass an organization or government, or to gain publicity.
a. Hacktivists
b. Hostile government agents
c. Industrial spies
d. Cyber terrorists
Answer: A
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
22. The preferred method of hackers who want to steal trade secrets and other confidential information from business organizations is ___________.
a. To bribe employees to get access codes and passwords.
b. To bombard websites or networks with so much traffic that they “crash”, exposing sensitive data.
c. To break into employees’ mobile devices and leapfrog into employers’ networks stealing secrets without a trace.
d. Use a combination of sophisticated hardware tools designed to defeat IT security defenses.
Answer: C
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
23. U.S. cybersecurity experts and government officials are increasingly concerned about breaches from ___ into corporate networks, either through mobile devices or by other means.
a. Domestic terrorists
b. Amateur hackers
c. Organized crime syndicates based in the United States
d. Other countries
Answer: D
Difficulty: Hard
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
24. Government and corporate officials concerned about security threats do not bring their own cell phones or laptops when traveling overseas. Instead, they bring loaner devices and follow
strict security procedures including not connecting to their domestic network while out of the country. These procedures are referred to as _________.
a. Black Ops procedures
b. Do-Not-Carry rules
c. Foreign Threat Prevention procedures
d. Strict Security standards
Answer: B
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
25. The objectives of cybersecurity are to accomplish each of the following except
a. Make data and documents available and accessible 24/7 while simultaneously restricting access.
b. Promote secure and legal sharing of information among authorized persons and partners.
c. Ensure compliance with supply chain business partners
d. Detect, diagnose, and respond to incidents and attacks in real time.
Answer: C
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
26. In Cybersecurity terminology, a threat is defined as ________.
a. A weakness that threatens the confidentiality, integrity, or availability of data.
b. Something or someone that can damage, disrupt, or destroy an asset.
c. Estimated cost, loss, or damage that can result from an exploit.
d. Tools or techniques that take compromise a network.
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
27. In Cybersecurity terminology, a vulnerability is defined as :
a. A weakness that threatens the confidentiality, integrity, or availability of data.
b. Something or someone that can damage, disrupt, or destroy an asset.
c. Estimated cost, loss, or damage that can result from an exploit.
d. Tools or techniques that take compromise a network.
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
28. In Cybersecurity terminology, a risk is defined as :
a. A weakness that threatens the confidentiality, integrity, or availability of data.
b. Something or someone that can damage, disrupt, or destroy an asset.
c. Estimated cost, loss, or damage that can result from an exploit.
d. The probability of a threat exploiting a vulnerability and the resulting cost.
Answer: D
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
29. In Cybersecurity terminology, an exploit is defined as :
a. A weakness that threatens the confidentiality, integrity, or availability of data.
b. Something or someone that can damage, disrupt, or destroy an asset.
c. Estimated cost, loss, or damage that can result from an exploit.
d. Tools or techniques that take advantage of a vulnerability.
Answer: D
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
30. Chris is a network manager for a large company. She receives daily updates about various malware and then assesses how to best protect her organization’s network from attack. In cybersecurity terminology, she is involved in __________.
a. Identifying exposure
b. Risk management
c. A security audit
d. Encryption defenses
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
31. The three key cybersecurity principles are:
a. Data protection, equipment protection, reputation protection
b. Confidentiality, integrity, availability
c. Anticipate, defend, counter-attack
d. Identify, assess risk, take action
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
32. When sending sensitive email, James uses a program that transforms data into unreadable text to protect it from being understood by unauthorized users. James is using _ to protect his email communications.
a. Authentication
b. Defense-in-depth
c. Encryption
d. Hashing
Answer: C
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
33. Access to top secret or highly secure networks associated with Homeland Security or national defense use authentication methods based on a biological feature, such as a fingerprint or retinal scan to identify a person. These methods are called _____________.
a. Bio-Engineering
b. Physical security
c. Biometrics
d. Human factors
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
34. Most organizations use software or hardware devices to control access to their private networks from the Internet by analyzing incoming and outgoing data packets. These devices are called ___________.
a. Antimalware
b. Firewalls
c. Intrusion detection systems
d. Middleware
Answer: B
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
35. The ability of an IS to continue to operate when a failure occurs, but usually for a limited time or at a reduced level is referred to as _ ____.
a. Fault tolerance
b. Hot site ready
c. Cold site ready
d. System override
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
36. IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is ________, or the avoidance of unauthorized disclosure of information or data.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
37. IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is ____________, or the property that data or files have not been altered in an unauthorized way.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
38. IT professionals work hard to protect key characteristics of an asset from security breaches. One of these characteristics is _________, or the property that data is accessible and modifiable when needed by those authorized to do so.
a. Integrity
b. Confidentiality
c. Availability
d. Reliability
Answer: C
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
39. In cybersecurity terms, the function of a password together with a username is to __________ a user’s identity to verify that the person has the right to access a computer or network.
a. Record
b. Authenticate
c. Substantiate
d. Validate
Answer: B
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
40. Intrusion Detection Systems (IDS) are designed to monitor network traffic and identify threats that have breached the networks’ initial defenses. IDS identify all of the following except:
a. An attacker who is trying to break into the credentials of a legitimate user in order to gain access to an IS, device, or network.
b. A legitimate user who performs actions he is not authorized to do
c. A user who tries to disguise or cover up his actions by deleting audit files or system logs.
d. Employees who use computing or network resources inefficiently.
Answer: D
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
41. While security threats from e-mail viruses and malware have been declining for years as email security has improved, threats from __________ have increased considerably in recent years.
a. Software errors
b. Malicious employees
c. Social networks and cloud computing
d. Vendor sabotage
Answer: C
Difficulty: Easy
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
42. Facebook, YouTube, Twitter, LinkedIn, and other social networks are making IT security dangers worse. Why?
a. Users invite in and build relationships with others. Cybercriminals hack into these trusted relationships using stolen log-in credentials.
b. E-mail viruses and malware have been increasing for years even though e-mail security has improved.
c. Communication has shifted from social networks to smartphones.
d. Web filtering, user education, and strict policies cannot help prevent IT security dangers on Facebook and other social networks.
Answer: A
Difficulty: Hard
Section Ref: 5. 3 Mobile, App, and Cloud Security
AACSB: Reflective thinking
43. When new vulnerabilities are found in operating systems, applications, or wired and wireless networks, vendors of those products release __________ or __________ to fix the vulnerabilities.
a. Patches; service packs
b. Patches; downloads
c. Firewalls; spyware
d. Service packs; firewalls
Answer: A
Difficulty: Medium
Section Ref: 5. 3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
44. Which of the following is not a characteristic of money laundering and terrorist financing?
a. Transnational organized crime groups use money laundering to fund their operations, which creates international and national security threats.
b. Cybercrime is safer and easier than selling drugs, dealing in black market diamonds, or robbing banks.
c. Funds used to finance terrorist operations are easy to track, which provides evidence to identify and locate leaders of terrorist organizations and cells.
d. Online gambling offers easy fronts for international money-laundering operations.
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Reflective thinking skills
45. Samuel received an email that looked like it came from his bank. The email told him to click a link that opened an official looking Webpage where he was asked to enter his account information. But when Samuel examined the URL, he noticed it was a strange address he did not recognize. Most likely, someone was attempting to steal Samuel’s confidential information using a technique called __________.
a. Botnets
b. Phishing
c. Spoofing
d. Click hijacking
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
46. In the United States, the Sarbanes–Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB), Federal Information Security Management Act (FISMA), and USA Patriot Act all require businesses to __________________________.
a. Report security breaches via media sources to inform the public
b. Backup sensitive data to offsite locations
c. Protect personally identifiable information
d. Inform the public about network failures in a timely manner
Answer: C
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
47. The director of the Federal Trade Commission (FTC) bureau of consumer protection warned that the agency would bring enforcement action against small businesses that ________
a. failed to inform the public about network failures in a timely manner
b. failed to transmit sensitive data
c. did not report security breaches to law enforcement
d. lacked adequate policies and procedures to protect consumer data.
Answer: D
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
48. The principle of ________ acknowledges that the cost of information security needs to be balanced with its benefits. It is the basic cost–benefit principle with which you are familiar.
a. accounting
b. economic use of resources
c. legality
d. COBIT
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
49. ________ is the supervision, monitoring, and control of an organization’s IT assets.
a. IT governance
b. Internal control
c. PCI DSS
d. FISMA
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
50. The purpose of the is to improve customers’ trust in e-commerce, especially when it comes to online payments, and to increase the Web security of online merchants.
a. IT governance
b. Internal control
c. PCI DSS
d. FISMA
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
51. The IT security defense-in-depth model starts with ________.
a. Senior management commitment and support
b. IT security procedures and enforcement
c. Hardware and software selection
d. Acceptable use policies and IT security training
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
52. The IT security defense-in-depth model ends with ________.
a. Senior management commitment and support
b. IT security procedures and enforcement
c. Hardware and software selection
d. Acceptable use policies and IT security training
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
53. Cybersecurity is ___________.
a. an ongoing unending process
b. a problem that is solved with hardware or software
c. defined in the AUP that is enforced periodically
d. primarily the responsibility of the IT and legal departments
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
54. Which of the following statements about malware is false?
a. Technically, malware is a computer program or code that can infect anything attached to the Internet and is able to process the code.
b. Setting an e-mail client, such as Microsoft Outlook or Gmail, to allow scripting blocks malware.
c. RATS create an unprotected backdoor into a system through which a hacker can remotely control that system.
d. The payload carries out the purpose of the malware.
Answer: B
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
55. Most APT attacks are launched through ________.
a. Data tampering
b. Worms
c. Phishing
d. Vectors
Answer: C
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
56. Storm worm, which is spread via spam, is a ________ agent embedded inside over 25 million computers. Storm’s combined power has been compared to the processing power of ________.
a. botnet; a supercomputer
b. spyware; a DDoS attack
c. vector; zombies
d. spear phishing; a server
Answer: A
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
57. Sometimes system failures and data or information loss can result from reasons other than an intentional attempt to breach security. Unintentional threats are all of the following except ___________.
a. Political/civic unrest
b. Human errors
c. Environmental hazards
d. Computer systems failures
Answer: A
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
58. __________ is the elapsed time between when vulnerability is discovered and when it is exploited and has shrunk from months to __________.
a. Time-to-exploitation; days
b. Time-to-exploitation; minutes
c. Denial of service; days
d. Denial of service; seconds
Answer: B
Difficulty: Hard
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
59. Most information security incidents will occur because of _________.
a. Increases in hacker skills and capabilities
b. Poorly designed network protection software
c. Increasing sophistication of computer viruses and worms
d. Users who do not follow secure computing practices and procedures
Answer: D
Difficulty: Hard
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
60. The Payment Card Industry Data Security Standard (PCI DSS) created by Visa, MasterCard, American Express, and Discover is a ____.
a. Set of standards required by U.S. and international law for protecting credit card transaction data.
b. Set of industry standards required for all online merchants that store, process, or transmit cardholder data.
c. Set of voluntary security guidelines for retailers who accept Visa, MasterCard, American Express, and Discover credit cards.
d. Set of regulations (that vary from state to state, and country to country) that apply to credit card companies.
Answer: B
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
61. Social networks and cloud computing have increased vulnerabilities in all of the following ways except ________.
a. by providing a single point of failure and attack for organized criminal networks
b. In Twitter and Facebook, users invite in and build relationships with others. Cybercriminals hack into these trusted relationships using stolen logins.
c. Twitter’s use of service packs and patches have not been effective.
d. These networks and services increase exposure to risk because of the time-toexploitation of today’s sophisticated spyware and mobile viruses
Answer: C
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
62. Business operations are controlled by apps, systems, and networks that are so interconnected that anyone’s is an entry point for attacks.
a. mobile device
b. botnet
c. BYOD
d. firewall
Answer: A
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
63. Voice and fingerprint _______ can significantly improve the security of physical devices and provide stronger authentication for remote access or cloud services.
a. cryptography
b. biometrics
c. encryption
d. visualization
Answer: B
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
64. Crime can be divided into two categories depending on the tactics used to carry out the crime: ________.
a. Fraud and felonies
b. Occupational and opportunistic
c. Lethal and misdemeanors
d. violent and nonviolent
Answer: D
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
65. __________ are essential to the prevention and detection of occupation frauds
a. Anti-malware and firewalls
b. Internal audits and internal controls
c. Encryption and IDS
d. AUPs
Answer: B
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
66. The single-most effective fraud prevention tactic is making employees know that ________.
a. fraudsters will be fired
b. fraudsters will be forced to repay what they stole plus interest
c. fraud could destroy the company and jobs.
d. fraud will be detected by IT monitoring systems and punished by the legal system.
Answer: D
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
67. When it comes to fraud committed by an organization’s employees, the single most effective fraud prevention technique is _______.
a. Holding managers responsible for the actions of their employees
b. Peer monitoring (employees monitor each other)
c. Creating the perception that fraud will be detected and punished
d. A clearly written employee policy manual that explains unacceptable behaviors
Answer: C
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
68. ________ is the most cost-effective approach to fraud.
a. Detection
b. Lawsuits
c. Prevention
d. Prosecution
Answer: C
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
69. ___________ is a term referring to a variety of criminal behaviors perpetrated by an organization’s own employees or contractors.
a. Managerial corruption
b. Insider or internal fraud
c. Corporate fraud
d. Intentional fraud
Answer: B
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
70. When it comes to defending against employee fraud, regulators look favorably on companies that can demonstrate good __________ and best practices in operational risk management.
a. Corporate governance
b. Access to legal counsel
c. Relationships with security vendors
d. Awareness of industry standards
Answer: A
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Ethical understanding and reasoning abilities
71. Detecting internal fraud has become sophisticated. Audit trails from key systems and personnel records are stored in data warehouses and subjected to __________ where things like excessive hours worked, unusual transactions, copying of huge amounts of data and other unusual patterns of behavior are identified.
a. Security audits
b. Pattern analysis
c. Behavior recognition scans
d. Anomaly detection analysis
Answer: D
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
72. People who have their social security or credit card numbers stolen and used by thieves are frequently victims of ___________________.
a. Insider fraud
b. Identity theft
c. Occupational corruption
d. Document sabotage
Answer: B
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
73. Internal fraud prevention and detection measures are based on __________ and __________.
a. A detailed recovery plan; containment, including a fault-tolerant system
b. Perimeter defense technologies, such as e-mail scanners; human resource procedures, such as recruitment screening
c. General controls; application controls
d. Physical controls, including authorization; authentication systems
Answer: B
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
74. The _ is an exercise that determines the impact of losing the support or availability of a resource.
a. Business impact analysis (BIA)
b. Vulnerability audit
c. Asset valuation audit
d. Computing Cost/Benefit (CCB) audit
Answer: A
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
75. The cybersecurity defense strategy and controls that should be used depend on __.
a. The source of the threat
b. Industry regulations regarding protection of sensitive data
c. What needs to be protected and the cost-benefit analysis
d. The available IT budget
Answer: C
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
76. A defense strategy requires several controls. _________are established to protect the system regardless of the specific application.
a. Application controls
b. Physical controls
c. General controls
d. Authentication controls
Answer: C
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
77. A defense strategy requires several controls. ___________ protect computer facilities and resources such as computers, data centers, software, manuals, and networks.
a. Application controls
b. Physical controls
c. General controls
d. Authentication controls
Answer: B
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
78. Physical security includes several controls. Which of the following is not a type of physical control?
a. Security bonds or malfeasance insurance for key employees
b. Emergency power shutoff and backup batteries
c. Shielding against electromagnetic fields
d. Properly designed and maintained air-conditioning systems
Answer: A
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
79. Which of the following is not a type of administrative control for information assurance and risk management?
a. Fostering company loyalty
b. Immediately revoking access privileges of dismissed, resigned, or transferred employees
c. Instituting separation of duties by dividing sensitive computer duties among as many employees as economically feasible
d. Performing authorization and authentication
Answer: D
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
80. The internal control environment is the work atmosphere that a company sets for its employees and is designed to achieve all of the following except _________.
a. Reliability of financial reporting
b. Secure decision making
c. Compliance with laws
d. Compliance with regulations and policies
Answer: B
Difficulty: Hard
Section Ref: 5.5: Compliance and Internal Control
AACSB: Use of Information Technology
81. All of the following describe The Sarbanes-Oxley Act except:
a. Is an antifraud law
b. Forces more accurate business reporting and disclosure of GAAP (generally accepted accounting principles) violations.
c. Makes it necessary to find and root out fraud.
d. Has been adopted by all countries in North American and the European Union
Answer: D
Difficulty: Medium
Section Ref: 5.5: Compliance and Internal Control
AACSB:
82. An audit is an important part of any control system. Which of the following is not a question that would typically be asked as part of an information systems audit?
a. Are there sufficient controls in the system? Which areas are not covered by controls?
b. Are the controls effective and implemented properly?
c. What is the ROI associated with system controls?
d. Are there procedures to ensure reporting and corrective actions in case of violations of controls?
Answer: C
Difficulty: Hard
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
True/False
1. The consequences of lax cybersecurity include damaged reputations, financial penalties, government fines, lost market share, falling share prices, and consumer backlash.
Answer: True
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Dynamics of the global economy
2. The main cause of a data breach is malware, but the reason hacking is so successful is negligence management not doing enough to defend against cyberthreats.
Answer: False
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Reflective thinking
3. Robust data security is the responsibility of IT and data managers.
Answer: False
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
4. Countering cyber-threats demands diligence, determination, and investment.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
5. Cyber-security experts warn that battling distributed denial-of-service and malware attacks has become part of everyday business for all organizations.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
6. Managers should expect less tolerant regulators and greater fines and negative consequences for data breaches, according to KPMG
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
7. Powerful IT security systems are needed to defend against what appears to be authorized access to a network or application.
Answer: False
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
8. It is often easy to get users to infect their corporate network or mobiles by tricking them into downloading and installing malicious apps or backdoors.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
9. When an employee’s device is lost, the company can suffer a data breach if the device is not encrypted.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Dynamics of the global economy
10. Since protecting all data at an equally high level is not practical, cybersecurity strategies need to classify and prioritize defenses.
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Dynamics of the global economy
11. Botnets are stealth network attacks in which an unauthorized person gains access to a network and remains undetected for a long time to steal data continuously.
Answer: False
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
12. Most data breaches go unreported, according to cybersecurity experts, because corporate victims fear that disclosure would damage their stock price, or because they never knew they were hacked in the first place
Answer: True
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
13. The smart strategy is to invest more to protect the company’s most valuable assets rather than try to protect all assets equally.
Answer: True
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
14. Exploits are gaps, holes, weaknesses, or flaws in corporate networks, IT security defenses, user training, policy enforcement, data storage, software, operating systems, apps, or mobile devices that expose an organization to intrusions or other attacks.
Answer: False
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
15. Vulnerabilities exist in networks, OSs, apps, databases, mobile devices, and cloud environments. These vulnerabilities are attack vectors for malware, hackers, hactivists, and organized crime.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
16. Risk is the probability of a threat successfully exploiting a vulnerability and the estimated cost of the loss or damage.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
17. Hacking is an industry with its own way of operating, a workforce, and support services, such as contract hackers.
Answer: True
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
18. Firewalls and intrusion detection systems (IDS) mostly protect against internal threats.
Answer: False
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
19. Phishing is a deceptive method of stealing confidential information by pretending to be a legitimate organization, such as PayPal, a bank, credit card company, or other trusted source.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
20. Online gambling offers easy fronts for international money-laundering operations.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
21. Hardware and software security defenses are important because they protect against irresponsible business practices.
Answer: False
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
22. One of the biggest mistakes managers make is underestimating IT vulnerabilities and threats.
Answer: True
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
23. Most viruses, trojans, and worms are activated when an attachment is opened or a link is clicked.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
24. When a host computer is infected, attempts to remove the malware may fail and the malware may reinfect the host during a restore if the malware is captured in backups or archives.
Answer: True
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
25. Botnets often target select groups of people with something in common they work at the same company, bank at the same financial institution, or attend the same university
Answer: False
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
26. Social networks and cloud computing increase vulnerabilities by providing a single point of failure and attack for organized criminal networks.
Answer: True
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
27. Enterprises take risks with BYOD practices that they never would consider taking with conventional computing devices.
Answer: True
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
28. According to a Mobile Phone report, 17 rogue apps managed to get into Google Play and they were downloaded over 700,000 times before being removed. Rogue mobile apps can contain malware or launch phishing attacks.
Answer: True
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
29. Fraudsters carry out their crime by threatening others and by taking advantage of their fears of job loss or disciplinary action.
Answer: False
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
30. During the fraud investigation of Bernie Madoff, computer forensics experts were tasked with uncovering digital messages that revealed “who knew what” and “who did what.”
Answer: True
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
31. Internal fraud prevention measures are based on the same controls used to prevent external intrusions perimeter defense technologies, such as firewalls, e-mail scanners, and biometric access.
Answer: True
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
32. SOX and the SEC regulators are making it clear that if controls can be ignored, there is no control. Therefore, fraud prevention and detection require an effective monitoring system.
Answer: True
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
33. Approximately 25 percent of occupational fraud could have been prevented if proper ITbased internal controls had been designed, implemented, and followed
Answer: False
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
34. Detection and damage containment are the most desirable fraud controls.
Answer: False
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
35. A biometric control is an automated method of verifying the identity of a person, based on physical or behavioral characteristics.
Answer: True
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
36. A business impact analysis estimates the consequences of disruption of a business function and collects data to develop recovery strategies.
Answer: True
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
Short Answer
1. The practice of people bringing and using their own mobile devices for work purposes is called
Answer: Bring your own device (BYOD)
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
2. _ tactics are used by hackers and corporate spies to trick people into revealing login information or access codes.
Answer: Social engineering
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
3. A stealth network attack in which an unauthorized person gains access to a network and remains undetected for a long time is referred to as a(n) _____ attack.
Answer: Advanced Persistent Threat (APT)
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
4. One source of cybersecurity threats today are _____________, who hack for their own causes and attempt to gain media attention.
Answer: Hacktivists
Difficulty: Easy
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
5. _________________ is a type of attack where a web site or network is bombarded with traffic to make it crash.
Answer: Distributed denial of service (DDoS)
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
6. In Cybersecurity terminology, a(n) __________is defined as something or someone that may result in harm to an asset.
Answer: threat
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
7. In Cybersecurity terminology, a(n) __________ is defined as a weakness that threatens the confidentiality, integrity, or availability of an asset.
Answer: vulnerability
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
8. In Cybersecurity terminology, a(n) _____________ is defined as the probability of a threat exploiting a vulnerability and the resulting cost.
Answer: Risk
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
9. In Cybersecurity terminology, a(n) ____________ is defined as the estimated cost, loss, or damage that can result from an exploited vulnerability.
Answer: Exposure
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
10. In Cybersecurity terminology, a(n) __________ is defined as a tool or technique that takes advantage of a vulnerability.
Answer: Exploit
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
11. When sending sensitive email, James uses a program that transforms data into scrambled code to protect it from being understood by unauthorized users. James is using
to protect his email communications.
Answer: Encryption
Difficulty: Easy
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
12. In the United States, the Sarbanes–Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB), Federal Information Security Management Act (FISMA), and USA Patriot Act all require businesses to protect PII, which stands for _______________.
Answer: Personally identifiable information
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
13. Access to top secret or highly secure networks associated with Homeland Security or national defense often use authentication methods based on a biological feature, such as a fingerprint or retina to identify a person. These methods are called
Answer: biometrics
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
AACSB: Use of Information Technology
14. _______ are software programs that users download and install to fix a vulnerability
Answer: Patches
Difficulty: Easy
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
15. _ are designed to monitor network traffic and identify threats that may have breached the networks initial defenses.
Answer: Intrusion Detection Systems (IDS)
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
16. __ is the elapsed time between when vulnerability in a software app or system is discovered and when it’s exploited.
Answer: Time-to-exploitation
Difficulty: Hard
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
17. Malware infected computers can be organized into networks called ________.
Answer: Botnets
Difficulty: Easy
Section Ref: 5.2 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
18. ___ is a term referring to a variety of deceptive behaviors perpetrated by an organization’s own employees or contractors.
Answer: Insider or internal fraud
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
19. When it comes to reducing employee fraud, regulators look favorably on companies that can demonstrate good __________ and best practice operational risk management.
Answer: Corporate governance
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
20. detection identifies things like excessive hours worked, unusual transactions, copying of huge amounts of data and other unusual patterns of behavior, and uses them to alert IT managers to the possibility of internal fraud.
Answer: Anomaly
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
21. The SEC and FTC impose huge fines for __________ in order to deter companies from under-investing in data protection.
Answer: Data breaches
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB:
22. Indicators of fraud are called __________
Answer: red flags
Difficulty: Medium
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology
23. __________ is a process designed to achieve reliable financial reporting in order to protect investors and comply with regulations.
Answer: Internal control
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
24. __________ controls can verify a user’s identity, which creates the problem of privacy invasion.
Answer: Biometric
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
25. A estimates the consequences of disruption of a business function and collects data to develop recovery strategies.
Answer: business impact analysis (BIA)
Difficulty: Medium
Section Ref: 5.5 Compliance and Internal Control
AACSB: Use of Information Technology
Essay Questions
1. Define social engineering. Describe two ways in which social engineering could be used to obtain credentials from a user in order to gain access to an account or network.
Answer:
Social engineering tactics are used by hackers and corporate spies to trick people into revealing login information or access codes.
Answers to the second question will vary. For example, students could describe phishing tactics or other methods to motivate users to click a link or download an app that is infected.
Difficulty: Medium
Section Ref: 5.1 The Face and Future of Cyberthreats
AACSB: Use of Information Technology
2. Why are internal threats a major challenge for organizations? How can internal threats be minimized?
Answer:
Threats from employees, referred to as internal threats, are a major challenge largely due to the many ways an employee can carry out malicious activity. Insiders may be able to bypass physical security (e.g., locked doors) and technical security (e.g., passwords) measures that organizations have in place to prevent unauthorized access. Why? Because defenses such as firewalls, intrusion detection systems (IDS), and locked doors mostly protect against external threats.
Insider incidents can be minimized with a layered defense strategy consisting of security procedures, acceptable use policies, and technology controls.
Difficulty: Medium
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
3. Describe spear phishing. How does spear phishing work?
Answer:
Spear phishers often target select groups of people with something in common they work at the same company, bank at the same financial institution, or attend the same university. The scam emails appear to be sent from organizations or people the potential victims normally receive emails from, making them even more deceptive. Here is how spear phishing works:
1. Spear phish creators gather information about people’s companies and jobs from social media or steal it from computers and mobile devices. Then they use the information to customize messages that trick users into opening an infected e-mail.
2. Then they send e-mails that look like the real thing to targeted victims, offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data.
3. Finally, the victims are asked to click on a link inside the e-mail that takes them to a phony but realistic-lookingwebsite,wheretheyareasked to providepasswords, account numbers, user IDs, access codes, PINs, and so on.
Difficulty: Hard
Section Ref: 5.2 Cyber Risk Management
AACSB: Use of Information Technology
4. Discuss how social networks and cloud computing increase IT security risks. How do you recommend that the risks be reduced?
Answer:
Answers will vary.
Social networks and cloud computing increase vulnerabilities by providing a single point of failure and attack. Critical, sensitive, and private information is at risk, and like previous IT trends, such as wireless networks, the goal is connectivity, often with little concern for security.
As social networks increase their services, the gap between services and cybersecurity also increases. E-mail viruses and malware have been declining for years as e-mail security has improved. This trend continues as communication shifts to social networks and newer smartphones. Unfortunately, malware finds its way to users through security vulnerabilities in these new services and devices. Web filtering, user education, and strict policies are necessary to help prevent widespread outbreaks. In Twitter and Facebook, users invite in and build relationships with others. Cybercriminals hack into these trusted relationships using stolen logins. Fake antivirus and other attacks that take advantage of user trust are very difficult to detect.
Difficulty: Medium
Section Ref: 5.3 Mobile, App, and Cloud Security
AACSB: Use of Information Technology
5. Explain internal fraud. Describe the most effective approach to preventing it.
Answer:
Internal fraud refers to the deliberate misuse of the assets of one’s employer for personal gain. Internal audits and internal controls are essential to the prevention and detection of occupation frauds.
The single-most-effective fraud prevention technique is the perception of detection and punishment. If a company shows its employees that it can find out everything that every employee does and will prosecute to the fullest extent anyone who commits fraud, then the feeling that “I can get away with it” drops drastically. In addition, companies may use a combination of defenses including intelligent analysis, audit trails, and anomaly detection.
Difficulty: Hard
Section Ref: 5.4 Defending Against Fraud
AACSB: Use of Information Technology