IIBA Certificate in Cybersecurity Analysis (CCA) IIBA-CCA Exam Dumps: Updated Questions & Answers (April 2026)

Unauthorized access to data is the defining condition of a data breach. In standard cybersecurity terminology, a breach occurs when confidentiality is compromised—meaning data is accessed, acquired, viewed, or exfiltrated by an entity that is not authorized to do so. This is distinct from a “threat,” which is only the potential for harm, and distinct from a “hacker,” which describes an actor rather than the security outcome. A breach can result from external attackers, malicious insiders, credential theft, misconfigurations, unpatched vulnerabilities, or poor access controls. Cybersecurity guidance typically frames breaches as realized security incidents with measurable impact: exposure of regulated data, loss of intellectual property, fraud risk, reputational harm, and legal/regulatory consequences. Once unauthorized access is confirmed, incident response procedures generally require containment (limit further access), preservation of evidence (logs, system images where appropriate), eradication (remove persistence), and recovery (restore secure operations). Organizations also assess scope—what data types were accessed, how many records, which systems, and the dwell time—and then determine notification obligations where laws or contracts apply. In short, the discovery describes an actual compromise of data confidentiality, which is precisely a breach.

Creating a fake website to trick individuals into entering usernames and passwords is a classic example of phishing. Phishing is a social engineering technique where an attacker impersonates a trusted entity to deceive a victim into disclosing sensitive information (credentials, personal data, payment details) or taking an action that benefits the attacker (downloading malware, approving an MFA prompt, wiring funds). A counterfeit login page is commonly used in credential-harvesting campaigns: the victim believes they are authenticating to a legitimate service, but the credentials are captured by the attacker and later used for account takeover. This is not necessarily a breach yet because the question describes an attempt to acquire credentials; a breach would be confirmed unauthorized access or disclosure. While phishing is a kind of threat, “threat” is too broad compared to the specific described behavior. It is also not ransomware, which focuses on encrypting or locking data and demanding payment. Cybersecurity documentation emphasizes layered defenses against phishing: user awareness training, email and web filtering, domain and certificate validation, anti-spoofing controls, strong authentication (especially MFA resistant to prompt fatigue), password managers that reduce credential entry on lookalike domains, and monitoring for suspicious logins. Because the attack relies on deception through a fake website to steal credentials, the best match is phishing.

A cybersecurity infrastructure business case is typically driven by theRiskfunction because the justification for security investments is grounded in reducing enterprise risk to an acceptable level and aligning with the organization’s risk appetite and regulatory obligations. Risk-focused teams (often working with the CISO and security governance) translate threats, vulnerabilities, and control gaps into business impact terms such as likelihood of adverse events, potential operational disruption, financial exposure, regulatory penalties, and reputational harm. This framing is what a formal business case requires: a clear problem statement, quantified or prioritized risk scenarios, expected risk reduction from proposed controls, and how residual risk compares to tolerance thresholds.

WhileITusually leads implementation and provides architecture, sizing, and operational cost estimates, IT alone does not typically “drive” the business case without the risk rationale that explains why the investment is necessary and what enterprise outcomes it protects.Legalcontributes requirements related to compliance, contracts, and breach handling, but it generally supports rather than owns investment prioritization.Financeevaluates budgeting, funding options, and return-on-investment assumptions, yet it relies on risk inputs to understand why the spend is warranted and what loss exposure is being reduced.

Therefore, the organizational area most responsible for driving a cybersecurity infrastructure business case—by defining the risk problem, articulating risk-based benefits, and enabling executive decision-making—isRisk.

Bottom of Form

Role-based access control assigns permissions to defined roles that reflect job functions, and users receive access by being placed into the appropriate role. The major operational and security benefit is that itsimplifies and standardizes access provisioning. Instead of granting permissions individually to each user, administrators manage a smaller, controlled set of roles such as Accounts Payable Clerk, HR Specialist, or Application Administrator. When a new employee joins or changes responsibilities, access can be adjusted quickly and consistently by changing role membership. This reduces manual errors, limits over-provisioning, and helps enforce least privilege because each role is designed to include only the permissions required for that function.

RBAC also improves governance by making access decisions more repeatable and policy-driven. Security and compliance teams can review roles, validate that each role’s permissions match business needs, and require approvals for changes to role definitions. This approach supports segregation of duties by separating conflicting capabilities into different roles, which lowers fraud and misuse risk.

Option B is a real advantage of RBAC, but it is typically a secondary outcome of having structured roles rather than the primary “significant benefit” emphasized in access-control design. Option C relates to identity lifecycle processes such as deprovisioning, which can be integrated with RBAC but is not guaranteed by RBAC alone. Option D describes distributing tasks among multiple users, which is more aligned with segregation of duties design, not the core benefit of RBAC.

Information classificationis the formal process of evaluating the data an organization creates or holds and assigning it a sensitivity level so the organization can apply the right safeguards. Cybersecurity policies describe classification as the foundation for consistent protection because it links thepotential harm from unauthorized disclosure, alteration, or lossto specific handling and control requirements. Typical classification labels include Public, Internal, Confidential, and Restricted, though names vary by organization. Once data is classified, required protections can be specified, such as encryption at rest and in transit, access restrictions based on least privilege, approved storage locations, monitoring requirements, retention periods, and secure disposal methods.

This is not avulnerability assessment, which focuses on identifying weaknesses in systems, applications, or configurations. It is also not aninternal audit, which evaluates whether controls and processes are being followed and are effective. Option D,information categorization, is often used in some frameworks to describe assigning impact levels (for example, confidentiality, integrity, availability impact) to information types or systems, mainly to drive control baselines. While related, the question specifically emphasizes assessing data and deciding thelevel of protectionbased on risk from disclosure, which aligns most directly withclassificationprograms used to govern labeling and handling rules across the organization.

A strong classification program improves security consistency, supports compliance, reduces accidental exposure, and helps prioritize controls for the most sensitive information assets.

Risk managers demonstrate the effectiveness of security controls by usingmetrics reportingbecause metrics provide objective, repeatable evidence that controls are operating as intended and are producing measurable outcomes. In cybersecurity governance, “control effectiveness” is shown through performance indicators and trend data, not just by stating that a control exists. Metrics translate technical activity into risk-relevant results that leadership can understand and act on.

Common control-effectiveness metrics include patch compliance rates and time-to-remediate critical vulnerabilities, percentage of systems meeting secure configuration baselines, multifactor authentication coverage, privileged access review completion rates, mean time to detect and respond, incident volume and severity trends, phishing simulation outcomes, and the percentage of logs successfully collected and retained for monitoring. Risk managers also use key risk indicators to track whether residual risk is increasing or decreasing, and they compare results against defined thresholds and risk appetite.

Whilepenetration testingcan validate exposure and reveal weaknesses, it is periodic and scenario-based; it does not continuously demonstrate ongoing control performance across the environment.Change managementis essential for stability and risk reduction, but it is a process control rather than a reporting practice used to demonstrate effectiveness.Security awareness trainingimproves user behavior, yet effectiveness still needs measurement through metrics such as completion rates and simulated phishing results. Therefore, metrics reporting is the operational practice most directly used to demonstrate control effectiveness.

Apatchis a vendor- or developer-provided update intended to correct defects in software, includingprogramming errorsandsecurity vulnerabilities. Cybersecurity and IT operations documents describe patching as a primary method of vulnerability remediation because many attacks succeed by exploiting known weaknesses for which fixes already exist. When a vulnerability is disclosed, the vendor may publish a patch that changes code, updates components, adjusts configuration defaults, or replaces vulnerable libraries. Applying the patch reduces the likelihood that an attacker can use that weakness to gain unauthorized access, execute malicious code, elevate privileges, or disrupt availability.

A patch is different from acontrol, which is a broader safeguard (technical, administrative, or physical) used to reduce risk; patching itself can be part of a control, such as a patch management program. It is also different from arelease, which is a broader software distribution that may include new features, improvements, and multiple fixes; a patch is usually more targeted and may be issued between major releases. Alogis an audit record of events and is used for monitoring, troubleshooting, and incident investigation—not for fixing code defects.

Cybersecurity guidance emphasizes disciplined patch management: maintaining asset inventories, prioritizing patches by risk and exposure, testing changes, deploying promptly, verifying installation, and documenting exceptions to manage residual risk.

NIST SP 800-30 Rev. 1 defines qualitative risk severity levels using consistent impact language. In its assessment scale,“Moderate”is explicitly tied to events that can be expected to have aserious adverse effecton organizational operations, organizational assets, individuals, other organizations, or the Nation.

A “serious adverse effect” is described as outcomes such as asignificant degradation in mission capabilitywhere the organization can still perform its primary functions but withsignificantly reduced effectiveness,significant damageto organizational assets,significant financial loss, orsignificant harm to individualsthat does not involve loss of life or life-threatening injuries. This phrasing is used to distinguish “Moderate” from “Low” (limited adverse effect) and from “High” (severe or catastrophic adverse effect).

This classification matters in enterprise risk because it drives prioritization and control selection. A “Moderate” rating typically triggers stronger treatment actions than “Low,” such as tighter access controls, enhanced monitoring, more frequent vulnerability remediation, stronger configuration management, and improved incident response readiness. It also helps leaders compare risks consistently across systems and business processes by anchoring severity to clear operational and harm-based criteria rather than subjective judgment.

Social engineeringis the broad technique attackers use when they manipulate human psychology—such as trust, fear, urgency, curiosity, sympathy, authority, or the desire to be helpful—to persuade someone to take an action that benefits the attacker. The key idea in the question is “exploit human emotions and connection,” which is the defining characteristic of social engineering. Rather than breaking a system through purely technical means, the attacker targets the person as the easiest path to access, credentials, sensitive information, or physical entry.

Phishing is aspecific subtypeof social engineering that typically uses email, text messages, or fake websites to trick users into clicking links, opening attachments, or entering credentials. Tailgating is another subtype focused onphysical access, where an attacker follows an authorized person into a restricted area by leveraging politeness or social pressure. Malware is malicious software used to compromise systems; it can be delivered through social engineering, but malware itself is not the human-manipulation technique.

Cybersecurity control guidance treats social engineering as a major risk because it can bypass technical protections by causing legitimate users to unintentionally grant access. Common defenses include awareness training, verification procedures (call-back and out-of-band confirmation), least privilege, multi-factor authentication, strong email and web filtering, and clear reporting channels so suspicious requests can be escalated quickly.

AnAccess Control List (ACL)is a structured, system-maintained list of authorization rules that specifieswho or what is allowed to access a resourceand what actions are permitted. In many operating systems, network devices, and applications, an ACL functions as an internal table that maps identities such as user IDs, group IDs, service accounts, or even device/terminal identifiers to permissions like read, write, execute, modify, delete, or administer. When a subject attempts to access an object, the system consults the ACL to determine whether the requested operation should be allowed or denied, enforcing the organization’s security policy at runtime.

The description in the question matches the classic definition of an ACL as a computerized table of access rules tied to login IDs and sometimes the originating endpoint or terminal context. ACLs are central to implementingdiscretionary access controland are also widely used in networking (for example, permitting or denying traffic flows based on source/destination and ports) and file systems (controlling access to folders and files).

AnAccess Control Entry (ACE)is only a single line item within an ACL (one rule for one subject). A “Relational Access Database” is not a standard security control term for authorization tables. A “Directory Management System” manages identities and groups, but it is not the same as the enforcement list attached to a specific resource. Therefore, the correct answer isAccess Control List.