Indicate whether the statement is true or false.


___F_  1.   When a computer is the subject of an attack, it is the entity being attacked.


___F_  2.   The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC).


__T__  3.   The Secret Service is charged with the detection and arrest of any person committing a United States federal offense relating to computer fraud and false identification crimes.


__T__  4.   The value of intellectual property influences asset valuation.


__T__  5.   Leaving unattended computers on is one of the top information security mistakes made by individuals.


Modified True/False

Indicate whether the statement is true or false. If false, change the identified word or phrase to make the statement true.


__T__  6.   In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticed — but eventually the employee gets something complete or useable. _________________________


__T__  7.   The malicious code attack includes the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. _________________________


__T__  8.   Privacy is not absolute freedom from observation, but rather is a more precise “state of being free from unsanctioned intrusion.” _________________________


__T__  9.   The Economic Espionage Act of 1996 protects American ingenuity, intellectual property, and competitive advantage. _________________________


__T__ 10.   Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices. _________________________


Multiple Choice

Identify the choice that best completes the statement or answers the question.


__B__ 11.   A famous study entitled “Protection Analysis: Final Report” was published in ____.

a. 1868 c. 1988
b. 1978 d. 1998



_A___ 12.  ____ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.

a. Physical c. Object
b. Personal d. Standard



__C__ 13.   The ____ model consists of six general phases.

a. pitfall c. waterfall
b. 5SA&D d. SysSP



__A__ 14.  There are generally two skill levels among hackers: expert and ____.

a. novice c. packet monkey
b. journeyman d. professional



__A__ 15.  “4-1-9” fraud is an example of a ____ attack.

a. social engineering c. worm
b. virus d. spam



__B__ 16.   The Computer ____ and Abuse Act of 1986 is the cornerstone of many computer-related federal laws and enforcement efforts.

a. Violence c. Theft
b. Fraud d. Usage



___C_ 17.   Which of the following countries reported generally intolerant attitudes toward personal use of organizational computing resources?

a. Australia c. Singapore
b. United States d. Sweden



___D_ 18.  Laws and policies and their associated penalties only deter if which of the following conditions is present?

a. Fear of penalty
b. Probability of being caught
c. Probability of penalty being administered
d. All of the above



__B__ 19.   The ____ strategy attempts to prevent the exploitation of the vulnerability.

a. suspend control c. transfer control
b. defend control d. defined control



___B_ 20.   The formal decision making process used when considering the economic feasibility of implementing information security controls and safeguards is called a(n) ____.

a. ARO c. ALE
b. CBA d. SLE




Complete each statement.


  1. A virus or worm can have a payload that installs a(n) _____back_______________ door or trap door component in a system, which allows the attacker to access the system at will with special privileges.


  1. A(n) __________Buffer Overrun__________ is an application error that occurs when more data is sent to a program buffer than it is designed to handle.


  1. Guidelines that describe acceptable and unacceptable employee behaviors in the workplace are known as ________policies____________.




  1. Describe the multiple types of security systems present in many organizations.


1.) Physical Security – protect items, objects, and places

2.) Personnel security – protect individual access to the organization

3.) Operation security – protect details of activities

4.) Communications security – protect communications media, technology, and content

5.) Network security – protect networking components, connections, and contents

6.) Information security – protect the confidentiality, availability, and integrity of information assets.




  1. List Microsoft’s “Ten Immutable Laws of Security” in any order


  1. If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
  2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
  3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
  4. If you allow a bad guy to upload programs to your website, it’s not your website any more.
  5. Weak passwords trump strong security.
  6. A computer is only as secure as the administrator is trustworthy.
  7. Encrypted data is only as secure as the decryption key.
  8. An out of date virus scanner is only marginally better than no virus scanner at all.
  9. Absolute anonymity isn’t practical, in real life or on the Web.
  10. Technology is not a panacea.