IIBA-CCA Exam Dumps - Certificate in Cybersecurity Analysis (CCA)

Creating a fake website to trick individuals into entering usernames and passwords is a classic example of phishing. Phishing is a social engineering technique where an attacker impersonates a trusted entity to deceive a victim into disclosing sensitive information (credentials, personal data, payment details) or taking an action that benefits the attacker (downloading malware, approving an MFA prompt, wiring funds). A counterfeit login page is commonly used in credential-harvesting campaigns: the victim believes they are authenticating to a legitimate service, but the credentials are captured by the attacker and later used for account takeover. This is not necessarily a breach yet because the question describes an attempt to acquire credentials; a breach would be confirmed unauthorized access or disclosure. While phishing is a kind of threat, “threat” is too broad compared to the specific described behavior. It is also not ransomware, which focuses on encrypting or locking data and demanding payment. Cybersecurity documentation emphasizes layered defenses against phishing: user awareness training, email and web filtering, domain and certificate validation, anti-spoofing controls, strong authentication (especially MFA resistant to prompt fatigue), password managers that reduce credential entry on lookalike domains, and monitoring for suspicious logins. Because the attack relies on deception through a fake website to steal credentials, the best match is phishing.

Information classification is the practice of assigning data a sensitivity level so the organization can apply protections that match thebusiness impactif the information is exposed, altered, or becomes unavailable. The core driver for classification is therisk of harm—especially harm caused by unauthorized disclosure. If disclosure would result in regulatory penalties, reputational damage, competitive disadvantage, contractual breach, or harm to customers and employees, the data is classified at a higher level and requires stronger controls. These controls commonly include tighter access restrictions (least privilege and role-based access), stronger authentication, encryption at rest and in transit, stricter handling and sharing rules, audit logging, monitoring, and secure disposal requirements.

While retention can be influenced by compliance obligations, it is not what determines the classification level; retention policies typically reference classification but do not define it. “Need for access” is managed through access control decisions, which are appliedafterthe data’s sensitivity is understood; classification informs who should have access, not the other way around. “Timing of availability” relates to availability requirements and service resilience, which are important, but classification schemes primarily focus on sensitivity and potential damage from inappropriate exposure, with integrity and availability considerations often handled as additional impact dimensions.

Therefore, the best verified basis for information classification is the organization’s assessment ofrisk of loss or harm from disclosure.

A risk score is commonly calculated by combining two core factors: how likely a risk scenario is to occur and how severe the consequences would be if it did occur. This is often described in cybersecurity risk documentation as likelihood times impact, or as a structured mapping using a risk matrix.Probability or likelihoodreflects the chance that a threat event will exploit a vulnerability under current conditions. It may consider elements such as threat activity, exposure, ease of exploitation, control strength, and historical incident patterns.Impactreflects the magnitude of harm to the organization, usually measured across business disruption, financial loss, legal or regulatory exposure, reputational damage, and harm to confidentiality, integrity, or availability.

While confidentiality, integrity, and availability are essential for understanding what matters and can influence impact ratings, they are typically inputs into impact determination rather than the full scoring method by themselves. Past experience and expert threat assessment can inform likelihood estimates, but they are not the standard calculation model on their own. The key concept is that risk must reflect both chance and consequence; a highly impactful event with very low likelihood may be scored similarly to a moderate impact event with high likelihood depending on the organization’s methodology.

Therefore, the most accurate description of how a risk score is calculated is the combination of probability and impact, enabling prioritization and consistent risk treatment decisions.

Cloud service models are commonly described as stacked layers of responsibility.Software as a Servicedelivers a complete application to the customer, while the provider manages the underlying platform and infrastructure.Platform as a Servicesits one level below SaaS: it provides the managed platform needed to build, deploy, and run applications without the customer having to manage the underlying servers and most core system software.

A defining feature of PaaS is that the provider supplies and manages key platform components such as theoperating system, runtime environment, middleware, web/application servers, and often supporting services like managed databases, messaging, scaling, and patching of the platform layer. The customer typically remains responsible for their application code, configuration, identities and access in the application, data classification and protection choices, and secure development practices. This shared responsibility model is central in cybersecurity guidance because it determines which security controls the provider enforces by default and which controls the customer must implement.

Given the answer options,Operating Systemis the best match because it is a core part of the platform layer that PaaS customers generally do not manage directly. Load balancers and storage can be consumed in multiple models, including IaaS and PaaS, and subscriptions describe a billing approach, not the technical service layer. Therefore, option D correctly reflects what PaaS provides compared to SaaS.

Bottom of Form

An embedded system is a specialized computing system designed to perform a dedicated function as part of a larger device or physical system. Unlike general-purpose computers, embedded systems are built to support a specific mission such as controlling sensors, actuators, communications, or device logic in products like routers, printers, medical devices, vehicles, industrial controllers, and smart appliances. Cybersecurity documentation commonly highlights that embedded systems tend to operate with constrained resources, which may include limited CPU power, memory, storage, and user interface capabilities. These constraints affect both design and security: patching may be harder, logging may be minimal, and security features must be carefully engineered to fit the platform’s limitations.

Option C best matches this characterization by describing a small form factor and limited processing power, which are typical attributes of many embedded devices. While not every embedded system is “small,” the key idea is that it is purpose-built, resource-constrained, and tightly integrated into a larger product.

The other options describe different concepts. A secure underground facility relates to physical site security, not embedded computing. Being hard to remove is about physical installation or tamper resistance, which can apply to many systems but is not what defines “embedded.” Storing cryptographic keys in a tamper-resistant external device describes a hardware security module or secure element use case, not the general definition of an embedded system.

SSL/TLS relies ondigital certificatesto support encrypted communications and to help users trust that they are connecting to the correct server. A TLS certificate is typically anX.509 certificatethat binds a public key to an identity, such as a domain name, and is digitally signed by a trusted issuer. In most public internet use cases, these certificates are issued byCertificate Authoritiesthat browsers and operating systems already trust through pre-installed root certificates. Because of that trust chain, organizations commonly obtain certificates by purchasing or otherwise obtaining them from certificate authorities, which is why option B is correct.

During the TLS handshake, the server presents its certificate to the client. The client validates the certificate’s signature chain, validity period, and that the certificate matches the domain being accessed. Once validated, TLS establishes session keys used to encrypt data in transit and protect it from eavesdropping and tampering. Certificates themselves are not “similar to unencrypted data,” and they are not specific to thumb-drive storage; they are used to secure network communications. Certificates also do not primarily provide “authorization” to access data. Authorization is typically enforced by application and access control mechanisms after authentication. Certificates supportauthenticationof endpoints and enable secure key exchange, which are prerequisites for secure transport encryption and trustworthy connections.

Opportunity cost is a core enterprise-risk and economics concept: when an organization allocates limited resources to one activity, it reduces what is available for other priorities. Increasing cybersecurity typically requiresmoney, skilled personnel time, executive attention, tooling, and operational capacity. Those resources could otherwise be used for revenue-generating work such as new product features, customer experience improvements, system modernization, market expansion, or process automation. That tradeoff is exactly what option D describes, making it the correct answer.

Cybersecurity documents stress that risk treatment decisions must balancerisk reductionagainstcost, feasibility, and business impact. While stronger security can reduce the likelihood and impact of incidents, it can also introduce friction (extra approval steps, stronger authentication, segmentation), slow delivery when changes require additional reviews, and demand ongoing operational effort (monitoring, patching, vulnerability remediation, access recertification, incident response testing). These impacts are not arguments against security; they are the reason governance processes prioritize controls based on the most critical assets, highest-risk threats, and compliance requirements.

Option A may be true in some cases, but it describes a direct cost, not the broader economic concept of opportunity cost. Option B is a trend statement and not the definition. Option C is incorrect because security spend is not always less than breach risk; organizations must evaluate cost-benefit and acceptable residual risk rather than assume a universal rule.

Logging requirements in cybersecurity focus on ensuring the system can produce reliable, actionable records that support detection, investigation, compliance, and accountability. The most fundamental capability is the ability torecord information about user access and actionswithin the system. This includes authentication events such as logon success or failure, logoff, session creation, and privilege elevation; authorization decisions such as access granted or denied; and security-relevant actions such as viewing, creating, modifying, deleting, exporting, or transmitting sensitive data. Good security logging also captures context like timestamp synchronization, user or service identity, source device or IP, target resource, action performed, and outcome.

This capability supports multiple operational needs. Security monitoring teams rely on logs to identify anomalies like repeated failed logins, unusual access times, access from unexpected locations, or high-risk administrative changes. Incident responders need logs to reconstruct timelines, confirm scope, and preserve evidence. Auditors and compliance teams require logs to demonstrate control effectiveness, segregation of duties, and traceability of changes.

The other options are not sufficient to satisfy logging requirements. Single sign-on can simplify authentication but does not guarantee application-level activity logging. Integration with specialized tools may be useful, but the solution must first generate the required events. Deployment model options do not address whether the system can create detailed audit trails. Therefore, the required capability is recording user access and actions in the system.