Risk management is where Security+ stops feeling like a hacker movie and starts feeling like a real security job. Nobody has infinite money, infinite time, or infinite authority. The exam wants to know whether you can look at a messy business scenario and choose the control that reduces risk without pretending the company can fix everything by Friday.
Use these Security+ risk management practice questions to drill the pattern: identify the asset, threat, vulnerability, impact, likelihood, risk response, and business constraint. Pick an answer before reading the explanation. If you can explain why the wrong answers are wrong, you are studying the right way.
For broader prep, pair this with the Security+ study plan template, Security+ access control practice questions, and Security+ phishing practice questions.
Quick answer: what Security+ risk questions usually test
Most risk questions are not asking you to be dramatic. They are asking you to choose a reasonable business-safe response.
| Scenario clue | Concept to think about |
|---|---|
| You can reduce but not remove the risk | Mitigation |
| You buy insurance or outsource part of the exposure | Transference |
| You stop doing the risky activity | Avoidance |
| Leadership knowingly lives with the risk | Acceptance |
| Vendor gets access to systems or data | Third-party risk management |
| Numbers compare business damage | Impact, likelihood, and risk rating |
| Control exists but nobody checks it | Audit, review, or continuous monitoring |
| System is critical but vulnerable | Prioritize by business impact and exploitability |
A useful shortcut: Security+ likes answers that document decisions, assign ownership, reduce exposure, and keep the business running. It usually does not like “ignore it,” “disable everything,” or “buy a shiny tool before understanding the risk.”
Security+ risk management practice questions
1. Choosing a risk response
A company has an old internal application that cannot be patched for three months because the vendor no longer supports the current version. The app is still required for daily operations. IT places the server behind stricter firewall rules, limits access to one department, and increases logging until the replacement project is complete.
Which risk response is this?
A. Avoidance
B. Mitigation
C. Acceptance
D. Data masking
Answer: B. Mitigation.
Mitigation reduces the likelihood or impact of a risk. The company did not eliminate the risk, and it did not stop using the application. It added compensating controls: restricted access, tighter firewall rules, and better logging.
Avoidance would mean stopping the activity entirely, like retiring the app immediately. Acceptance would mean leadership formally decides to live with the risk, usually after understanding it. This scenario shows active reduction.
2. Third-party risk before signing
A payroll vendor will process employee names, addresses, bank details, and tax information. The business wants to move quickly, but security asks for contract security terms, proof of controls, breach notification language, and a review of the vendor’s data handling process.
What process is security performing?
A. Third-party risk assessment
B. Password spraying
C. Port forwarding
D. Configuration baseline drift
Answer: A. Third-party risk assessment.
A vendor that handles sensitive data becomes part of your risk surface. Security should review what data the vendor receives, how it is protected, who can access it, how incidents are reported, and what happens when the contract ends.
The exam may describe questionnaires, contracts, audit reports, security addendums, data processing terms, or right-to-audit clauses. Those are all vendor risk clues.
3. Impact versus likelihood
A vulnerability exists on a public-facing customer portal. Exploit code is widely available, and a successful attack could expose customer records. Another vulnerability exists on a lab machine with no sensitive data and no external access.
Which issue should be prioritized first?
A. The lab machine because all vulnerabilities must be fixed alphabetically
B. The customer portal because impact and likelihood are higher
C. Neither, because patching always breaks things
D. The lab machine because it is easier
Answer: B. The customer portal because impact and likelihood are higher.
Risk is not just “a scanner found something.” Prioritization considers how likely exploitation is and what happens if it succeeds. Public exposure, available exploit code, and sensitive data all raise priority.
The lab machine still needs attention, but lower business impact and lower exposure make it less urgent than a public system holding customer records.
4. Risk acceptance done correctly
A department wants to keep using a legacy reporting system for 60 days until a replacement launches. Security documents the risk, the temporary controls, the expiration date, and the business owner who approves the exception.
What makes this a valid risk acceptance process?
A. The risk is ignored because the department asked nicely
B. A business owner knowingly accepts documented risk for a defined period
C. Security deletes the finding from the scanner
D. The help desk promises to watch it manually
Answer: B. A business owner knowingly accepts documented risk for a defined period.
Risk acceptance is not “we forgot to fix it.” It is a documented decision by someone with authority. Good acceptance records include the reason, owner, timeframe, compensating controls, and review date.
If there is no owner, no expiration, and no documentation, it is not mature risk acceptance. It is just drift wearing a fake mustache.
5. Transferring risk
A company is worried about financial losses from a possible data breach. It improves security controls but also purchases a cyber insurance policy that may cover certain breach-related costs.
Which risk response does the insurance represent?
A. Transference
B. Avoidance
C. Eradication
D. Authentication
Answer: A. Transference.
Transference shifts some financial impact to another party, usually through insurance, contracts, or outsourcing. It does not make the underlying risk disappear. The company still needs security controls, incident response, and legal/compliance planning.
Security+ trap: insurance is not a magic “we are safe now” button. It is one part of risk handling.
6. Risk register ownership
During a security review, the team creates a list of risks with owners, likelihood, impact, current controls, planned treatments, and review dates.
What is this list commonly called?
A. Risk register
B. Packet capture
C. Password vault
D. Chain of custody
Answer: A. Risk register.
A risk register tracks known risks and how the organization plans to handle them. It keeps risk from becoming hallway conversation that everybody remembers differently.
For the exam, think of a risk register as the boring spreadsheet that answers: what is the risk, who owns it, how bad is it, what are we doing, and when do we check again?
7. Avoiding risk
A company planned to collect Social Security numbers for a marketing promotion. After review, legal and security explain that the data is unnecessary and would create avoidable exposure. The company changes the form so it never collects the numbers.
Which response is this?
A. Avoidance
B. Transference
C. Single sign-on
D. Non-repudiation
Answer: A. Avoidance.
Avoidance means changing the plan so the risk no longer exists. If you do not collect sensitive data you do not need, you cannot leak that specific data later. That is often better than collecting everything and trying to secure it forever.
This is one of the most practical security lessons on the exam: the safest database is the one you did not create for no reason.
8. Compensating control
A production database requires an upgrade before it can support a stronger authentication method. The upgrade is scheduled, but until then the company restricts database admin access to a jump host, requires MFA for the jump host, and reviews admin logs daily.
What are these temporary measures?
A. Compensating controls
B. Data exfiltration
C. Bluejacking
D. Dumpster diving
Answer: A. Compensating controls.
Compensating controls reduce risk when the preferred control cannot be implemented yet. They are not an excuse to avoid the real fix forever. They buy time while the proper control is planned and executed.
The key phrase is “until then.” Security+ often tests whether you can keep risk contained during messy real-world constraints.
9. Control effectiveness
A company has a policy requiring terminated users to lose access within four hours. An audit finds several accounts stayed active for weeks because HR notifications were inconsistent.
What is the main lesson?
A. A written policy is enough if it sounds official
B. Controls need testing, monitoring, and process ownership
C. Disabled accounts should be renamed instead of removed
D. Users should share passwords during offboarding
Answer: B. Controls need testing, monitoring, and process ownership.
A policy that nobody follows is not much of a control. The organization needs a reliable trigger from HR, an accountable IT workflow, logging, and periodic review to confirm access is actually removed.
This connects risk management to access control. If that area is rusty, review the Security+ access control practice questions.
10. Business impact analysis
A hospital ranks systems by how quickly they must be restored during an outage. Patient care systems are ranked above training portals and cafeteria menus.
What activity does this best describe?
A. Business impact analysis
B. War driving
C. Tailgating
D. Port scanning
Answer: A. Business impact analysis.
A business impact analysis helps determine which processes and systems are most critical. It informs recovery priorities, backup strategy, disaster recovery planning, and acceptable downtime decisions.
The exam clue is business function priority. Not all systems matter equally during an outage, even if every department insists their thing is mission critical.
Review table: risk response by clue
| If the scenario says… | Think… | Example |
|---|---|---|
| “We reduced exposure but still run it” | Mitigation | Firewall rules, MFA, logging |
| “We stopped doing the risky thing” | Avoidance | Do not collect unnecessary sensitive data |
| “Leadership approved living with it” | Acceptance | Documented exception with owner/date |
| “Insurance or contract shifts cost” | Transference | Cyber insurance, vendor liability terms |
| “Preferred control is delayed” | Compensating control | Temporary jump host and extra monitoring |
| “Vendor handles sensitive data” | Third-party risk | Security review before signing |
How to study risk questions without turning your brain off
Do not memorize the four risk responses as isolated flashcards. Turn each one into an IT ticket or business decision:
- An old server cannot be patched yet.
- A vendor needs access to customer data.
- A manager wants to collect data the business does not need.
- A vulnerability scan finds 400 issues and only two admins are available.
- A system owner wants a temporary exception.
For each scenario, ask three questions:
- What bad thing could happen?
- How likely is it, and how much would it hurt?
- What is the most reasonable response for the business?
That is the Security+ risk-management loop in plain English.
If you are studying Security+ to move toward cybersecurity, the cybersecurity careers hub is a useful next stop. If you are still building your certification path, start with the IT certifications hub before buying three courses you will never finish.
FAQ
Is risk management technical or business-focused on Security+?
Both, but the exam leans business-aware. You still need to understand vulnerabilities and controls, but many questions ask who owns risk, how to prioritize work, and which response fits the situation.
Is risk acceptance the same as doing nothing?
No. Real risk acceptance is documented, approved by the right business owner, time-bounded when appropriate, and reviewed later. “Nobody fixed it” is not risk acceptance. It is just a finding waiting to embarrass someone.
Should I memorize formulas for risk?
Know the basic idea that risk combines likelihood and impact. Some study materials use simple formulas, but the bigger exam skill is reading the scenario and choosing the response that matches business impact.
What should I review after risk management?
Review governance, policies, third-party risk, business continuity, incident response, and access control. Those topics overlap constantly in real jobs and on the exam.