Solution and Answer Guide
COMPTIA SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS 8TH EDITION 2025 BY MARK
CIAMPA
CHAPTER 1-15
MODULE 1: INTRODUCTION TO INFORMATION SECURITY
TABLE OF CONTENTS
Review Questions ........................................................................................................................................ 1
Hands-On Projects ...................................................................................................................................... 6
Hands-On Project 1-1: Examine Data Breaches - Visual ......................................................................... 6
Hands-On Project 1-2: Configure Microsoft Windows Sandbox ............................................................. 6
Hands-On Project 1-3: Are You a Victim? ............................................................................................... 7
Case Project ................................................................................................................................................. 7
Case Project 1-1: #TrendingCyber ............................................................................................................ 7
Case Project 1-2: Personal Attack Experience .......................................................................................... 8
Case Project 1-3: Security Podcasts or Video Series ................................................................................ 8
Case Project 1-4: Sources of Security Information ................................................................................... 8
Case Project 1-5: Career Information Security ......................................................................................... 9
Case Project 1-6: Bay Point Ridge Security ............................................................................................. 9
Activity Rubric ............................................................................................................................................ 9
REVIEW QUESTIONS
1. Vittoria is working on her computer information systems degree at a local college and has started researching
information security positions. Because she has no prior experience, which of the following positions would
Vittoria most likely be offered?
A. Security administrator
B. Security technician
C. Security officer
D. Security manager
Answer: B. Security technician
Explanation: A security technician position is generally an entry-level position for a person who has the
necessary technical skills. Technicians provide technical support to configure security hardware, implement
security software, and diagnose and troubleshoot problems.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 1
website, in whole or in part.
,2. Which of the following is false about the CompTIA Security+ certification?
A. Security+ is one of the most widely acclaimed security certifications.
B. Security+ is internationally recognized as validating a foundation level of security skills and knowledge.
C. The Security+ certification is a vendor-neutral credential.
D. Professionals who hold the Security+ certification earn about the same or slightly less than security
professionals who have not achieved this certification.
Answer: D. Professionals who hold the Security+ certification earn about the same or slightly less than security
professionals who have not achieved this certification.
Explanation: When hiring workers for cybersecurity positions, an overwhelming majority of enterprises use
the Computing Technology Industry Association (CompTIA) Security+ certification to verify security
competency. Of the hundreds of security certifications currently available, Security+ is one of the most widely
acclaimed security certifications. Because it is internationally recognized as validating a foundation level of
security skills and knowledge, the Security+ certification has become the security baseline for today‘s IT
security professionals.
3. Ginevra is explaining to her roommate the relationship between security and convenience. Which statement
most accurately indicates this relationship?
A. Security and convenience are directly proportional.
B. Security and convenience have no relationship.
C. Any proportions between security and convenience depends on the type of attack.
D. Security and convenience are inversely proportional.
Answer: D. Security and convenience are inversely proportional.
Explanation: It is important to understand the relationship between security and convenience. The relationship
between these two is not directly proportional (as security is increased, convenience is increased) but, instead, it
is completely the opposite, known as inversely proportional (as security is increased, convenience is decreased).
4. Serafina is studying to take the Security+ certification exam. Which of the following of the CIA elements
ensures that only authorized parties can view protected information?
A. Confidentiality
B. Integrity
C. Availability
D. Credentiality
Answer: A. Confidentiality
Explanation: It is important that only approved individuals are able to access sensitive information. For example,
the credit card number used to make an online purchase must be kept secure and not made available to other parties.
Confidentiality ensures that only authorized parties can view the information. Providing confidentiality can involve
several different security tools, ranging from software to encrypt the credit card number stored on the web server to
door locks to prevent access to those servers.
5. Which of the following AAA elements is applied immediately after a user has logged into a computer with their
username and password?
A. Authentication
B. Authorization
C. Identification
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 2
website, in whole or in part.
, D. Recording
Answer: B. Authorization
Explanation: Authorization, granting permission to take an action, is the next step after authentication. Once users
have presented their identification and been authenticated, they can log in to a computer system. Computer users are
granted access only to the specific services, devices, applications, and files needed to perform their job duties.
6. Gia has been asked to enhance the security awareness training workshop for new hires. Which category of
security control would Gia be using?
A. Managerial
B. Technical
C. Operational
D. Physical
Answer: C. Operational
Explanation: Operational controls are implemented and executed by people. One example is conducting workshops
to help train users to identify and delete suspicious messages.
7. Which specific type of control is intended to mitigate (lessen) damage caused by an attack?
A. Corrective control
B. Compensating control
C. Preventive control
D. Restrictive control
Answer: A. Corrective control
Explanation: A control that is intended to mitigate or lessen the damage caused by the incident is called a corrective
control.
8. Which control is designed to ensure that a particular outcome is achieved by providing incentives?
A. Deterrent control
B. Incentive control
C. Detective control
D. Directive control
Answer: D. Directive control
Explanation: A directive control is designed to ensure that a particular outcome is achieved. One type of directive
control is an incentive, which is the ―carrot‖ instead of the ―stick.‖ Incentives are often overlooked as a control, but
they can be very powerful.
9. Which of the following controls is NOT implemented before an attack occurs?
A. Detective control
B. Deterrent control
C. Preventive control
D. Directive control
Answer: A. Detective control
Explanation: A detective control is used to identify an attack and occurs during an attack.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 3
website, in whole or in part.
, 10. Complete this definition of information security: That which protects the integrity, confidentiality, and
availability of information _____.
A. on electronic digital devices and limited analog devices that can connect via the Internet or through a local
area network
B. through a long-term process that results in ultimate security
C. using both open-sourced as well as supplier-sourced hardware and software that interacts appropriately
with limited resources
D. through products, people, and procedures on the devices that store, manipulate, and transmit the
information
Answer: D. through products, people, and procedures on the devices that store, manipulate, and transmit the
information.
Explanation: Information security may be defined as that which protects the integrity, confidentiality, and
availability of information through products, people, and procedures on the devices that store, manipulate, and
transmit the information.
11. Which of the following groups have the lowest level of technical knowledge for carrying out cyberattacks?
A. Unskilled attackers
B. Hacktivists
C. Nation-state actors
D. Organized crime
Answer: A. Unskilled attackers
Explanation: Individuals who want to perform attacks yet lack the technical knowledge to carry out these attacks
are sometimes called unskilled attackers.
12. Ilaria is explaining to her parents why information security is the preferred term when talking about security in
the enterprise. Which of the following would Ilaria NOT say?
A. Cybersecurity usually involves a range of practices, processes, and technologies intended to protect
devices, networks, and programs that process and store data in an electronic form.
B. In a business information may be in any format, from electronic files to paper documents.
C. Cybersecurity is a subset of information security.
D. Information security protects ―processed data‖ or information.
Answer: C. Cybersecurity is a subset of information security.
Explanation: Cybersecurity is considered an overall umbrella term under which information security is found.
13. Which of the following is not considered an attribute of threat actors?
A. Level of sophistication/capability
B. Educated/uneducated
C. Resources/funding
D. Internal/external
Answer: B. Educated/uneducated
Explanation: The attributes, or characteristic features, of the different groups of threat actors vary widely. Some
groups have a high level of power and complexity (called level of sophistication/capability) and have a massive
network of resources, while others are ―lone wolves‖ with minimal skills and no resources. In addition, some groups
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 4
website, in whole or in part.
COMPTIA SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS 8TH EDITION 2025 BY MARK
CIAMPA
CHAPTER 1-15
MODULE 1: INTRODUCTION TO INFORMATION SECURITY
TABLE OF CONTENTS
Review Questions ........................................................................................................................................ 1
Hands-On Projects ...................................................................................................................................... 6
Hands-On Project 1-1: Examine Data Breaches - Visual ......................................................................... 6
Hands-On Project 1-2: Configure Microsoft Windows Sandbox ............................................................. 6
Hands-On Project 1-3: Are You a Victim? ............................................................................................... 7
Case Project ................................................................................................................................................. 7
Case Project 1-1: #TrendingCyber ............................................................................................................ 7
Case Project 1-2: Personal Attack Experience .......................................................................................... 8
Case Project 1-3: Security Podcasts or Video Series ................................................................................ 8
Case Project 1-4: Sources of Security Information ................................................................................... 8
Case Project 1-5: Career Information Security ......................................................................................... 9
Case Project 1-6: Bay Point Ridge Security ............................................................................................. 9
Activity Rubric ............................................................................................................................................ 9
REVIEW QUESTIONS
1. Vittoria is working on her computer information systems degree at a local college and has started researching
information security positions. Because she has no prior experience, which of the following positions would
Vittoria most likely be offered?
A. Security administrator
B. Security technician
C. Security officer
D. Security manager
Answer: B. Security technician
Explanation: A security technician position is generally an entry-level position for a person who has the
necessary technical skills. Technicians provide technical support to configure security hardware, implement
security software, and diagnose and troubleshoot problems.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 1
website, in whole or in part.
,2. Which of the following is false about the CompTIA Security+ certification?
A. Security+ is one of the most widely acclaimed security certifications.
B. Security+ is internationally recognized as validating a foundation level of security skills and knowledge.
C. The Security+ certification is a vendor-neutral credential.
D. Professionals who hold the Security+ certification earn about the same or slightly less than security
professionals who have not achieved this certification.
Answer: D. Professionals who hold the Security+ certification earn about the same or slightly less than security
professionals who have not achieved this certification.
Explanation: When hiring workers for cybersecurity positions, an overwhelming majority of enterprises use
the Computing Technology Industry Association (CompTIA) Security+ certification to verify security
competency. Of the hundreds of security certifications currently available, Security+ is one of the most widely
acclaimed security certifications. Because it is internationally recognized as validating a foundation level of
security skills and knowledge, the Security+ certification has become the security baseline for today‘s IT
security professionals.
3. Ginevra is explaining to her roommate the relationship between security and convenience. Which statement
most accurately indicates this relationship?
A. Security and convenience are directly proportional.
B. Security and convenience have no relationship.
C. Any proportions between security and convenience depends on the type of attack.
D. Security and convenience are inversely proportional.
Answer: D. Security and convenience are inversely proportional.
Explanation: It is important to understand the relationship between security and convenience. The relationship
between these two is not directly proportional (as security is increased, convenience is increased) but, instead, it
is completely the opposite, known as inversely proportional (as security is increased, convenience is decreased).
4. Serafina is studying to take the Security+ certification exam. Which of the following of the CIA elements
ensures that only authorized parties can view protected information?
A. Confidentiality
B. Integrity
C. Availability
D. Credentiality
Answer: A. Confidentiality
Explanation: It is important that only approved individuals are able to access sensitive information. For example,
the credit card number used to make an online purchase must be kept secure and not made available to other parties.
Confidentiality ensures that only authorized parties can view the information. Providing confidentiality can involve
several different security tools, ranging from software to encrypt the credit card number stored on the web server to
door locks to prevent access to those servers.
5. Which of the following AAA elements is applied immediately after a user has logged into a computer with their
username and password?
A. Authentication
B. Authorization
C. Identification
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 2
website, in whole or in part.
, D. Recording
Answer: B. Authorization
Explanation: Authorization, granting permission to take an action, is the next step after authentication. Once users
have presented their identification and been authenticated, they can log in to a computer system. Computer users are
granted access only to the specific services, devices, applications, and files needed to perform their job duties.
6. Gia has been asked to enhance the security awareness training workshop for new hires. Which category of
security control would Gia be using?
A. Managerial
B. Technical
C. Operational
D. Physical
Answer: C. Operational
Explanation: Operational controls are implemented and executed by people. One example is conducting workshops
to help train users to identify and delete suspicious messages.
7. Which specific type of control is intended to mitigate (lessen) damage caused by an attack?
A. Corrective control
B. Compensating control
C. Preventive control
D. Restrictive control
Answer: A. Corrective control
Explanation: A control that is intended to mitigate or lessen the damage caused by the incident is called a corrective
control.
8. Which control is designed to ensure that a particular outcome is achieved by providing incentives?
A. Deterrent control
B. Incentive control
C. Detective control
D. Directive control
Answer: D. Directive control
Explanation: A directive control is designed to ensure that a particular outcome is achieved. One type of directive
control is an incentive, which is the ―carrot‖ instead of the ―stick.‖ Incentives are often overlooked as a control, but
they can be very powerful.
9. Which of the following controls is NOT implemented before an attack occurs?
A. Detective control
B. Deterrent control
C. Preventive control
D. Directive control
Answer: A. Detective control
Explanation: A detective control is used to identify an attack and occurs during an attack.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 3
website, in whole or in part.
, 10. Complete this definition of information security: That which protects the integrity, confidentiality, and
availability of information _____.
A. on electronic digital devices and limited analog devices that can connect via the Internet or through a local
area network
B. through a long-term process that results in ultimate security
C. using both open-sourced as well as supplier-sourced hardware and software that interacts appropriately
with limited resources
D. through products, people, and procedures on the devices that store, manipulate, and transmit the
information
Answer: D. through products, people, and procedures on the devices that store, manipulate, and transmit the
information.
Explanation: Information security may be defined as that which protects the integrity, confidentiality, and
availability of information through products, people, and procedures on the devices that store, manipulate, and
transmit the information.
11. Which of the following groups have the lowest level of technical knowledge for carrying out cyberattacks?
A. Unskilled attackers
B. Hacktivists
C. Nation-state actors
D. Organized crime
Answer: A. Unskilled attackers
Explanation: Individuals who want to perform attacks yet lack the technical knowledge to carry out these attacks
are sometimes called unskilled attackers.
12. Ilaria is explaining to her parents why information security is the preferred term when talking about security in
the enterprise. Which of the following would Ilaria NOT say?
A. Cybersecurity usually involves a range of practices, processes, and technologies intended to protect
devices, networks, and programs that process and store data in an electronic form.
B. In a business information may be in any format, from electronic files to paper documents.
C. Cybersecurity is a subset of information security.
D. Information security protects ―processed data‖ or information.
Answer: C. Cybersecurity is a subset of information security.
Explanation: Cybersecurity is considered an overall umbrella term under which information security is found.
13. Which of the following is not considered an attribute of threat actors?
A. Level of sophistication/capability
B. Educated/uneducated
C. Resources/funding
D. Internal/external
Answer: B. Educated/uneducated
Explanation: The attributes, or characteristic features, of the different groups of threat actors vary widely. Some
groups have a high level of power and complexity (called level of sophistication/capability) and have a massive
network of resources, while others are ―lone wolves‖ with minimal skills and no resources. In addition, some groups
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible 4
website, in whole or in part.
