IIBA-CCA Exam Dumps

Multi-factor authentication requires a user to prove identity using two or more different factor types. Cybersecurity standards describe the main factor categories as something you know (for example, a password or PIN), something you have (for example, a hardware token, smart card, or authenticator app producing a one-time code), and something you are (biometrics such as fingerprint, face, or iris). A valid MFA pair must come from different categories, not just two items from the same category or a mix of authentication with non-authentication concepts.

Option B is correct because it explicitly combines two distinct factor types: a knowledge factor and an inherence factor. This pairing is widely recognized as MFA because compromising one factor does not automatically compromise the other: an attacker who steals a password still needs the biometric, and spoofing a biometric does not provide the secret knowledge factor.

Option A is incorrect because ''encryption'' is not an authentication factor; it is a protection mechanism for confidentiality and integrity of data. Option D has the same problem: encryption is not a user factor. Option C can represent MFA in many real implementations if ''token'' is truly a possession factor; however, training materials and exam items often prefer the clearest, unambiguous factor-language pairing, which is why ''Something You Know and Something You Are'' is the best single answer here.

An attack vector is the route or method used to compromise an environment, and it is typically described as the way a threat actor exploits a vulnerability to gain unauthorized access, execute code, steal data, or disrupt services. To define an attack vector correctly, cybersecurity documents emphasize that you must identify both parts of that relationship: who or what is attacking and what weakness is being exploited. The ''attacker'' component represents the threat source or threat actor, including their capability and intent (for example, cybercriminals using phishing, insiders abusing access, or automated botnets scanning the internet). The ''vulnerability'' component is the specific weakness or exposure that enables success, such as a missing patch, weak authentication, misconfiguration, excessive permissions, insecure coding flaw, or lack of user awareness.

Without identifying the attacker, you cannot properly characterize the likely techniques, scale, and motivation driving the vector. Without identifying the vulnerability, you cannot define the practical entry point and control gaps that make the vector feasible. Together, attacker plus vulnerability allows defenders to map realistic scenarios, prioritize controls, and select mitigations that reduce likelihood and impact. Those mitigations may include patching, configuration hardening, strong authentication, least privilege, network segmentation, user training, and monitoring. The other options list technology elements that can be involved in an incident, but they do not capture the essential definition of an attack vector as an exploitation path driven by a threat actor leveraging a weakness

Opportunity cost is a core enterprise-risk and economics concept: when an organization allocates limited resources to one activity, it reduces what is available for other priorities. Increasing cybersecurity typically requires money, skilled personnel time, executive attention, tooling, and operational capacity. Those resources could otherwise be used for revenue-generating work such as new product features, customer experience improvements, system modernization, market expansion, or process automation. That tradeoff is exactly what option D describes, making it the correct answer.

Cybersecurity documents stress that risk treatment decisions must balance risk reduction against cost, feasibility, and business impact. While stronger security can reduce the likelihood and impact of incidents, it can also introduce friction (extra approval steps, stronger authentication, segmentation), slow delivery when changes require additional reviews, and demand ongoing operational effort (monitoring, patching, vulnerability remediation, access recertification, incident response testing). These impacts are not arguments against security; they are the reason governance processes prioritize controls based on the most critical assets, highest-risk threats, and compliance requirements.

Option A may be true in some cases, but it describes a direct cost, not the broader economic concept of opportunity cost. Option B is a trend statement and not the definition. Option C is incorrect because security spend is not always less than breach risk; organizations must evaluate cost-benefit and acceptable residual risk rather than assume a universal rule.

Multiple sources that can harm an organization's systems are classified as threats. In cybersecurity risk terminology, a threat is any circumstance, event, actor, or condition with the potential to adversely impact confidentiality, integrity, or availability. Threats can be human (external attackers, insiders, third-party compromises), technical (malware, ransomware campaigns, exploit kits), operational (misconfigurations, weak processes, inadequate monitoring), or environmental (power disruption, natural disasters). This differs from a breach, which is the realized outcome where unauthorized access or disclosure has already occurred. It also differs from hacker, which refers to one type of threat actor rather than the broader category of potential harm. Ransomware is a specific threat type (malware that encrypts data and demands payment), not a general term for multiple sources of harm. Cybersecurity documents commonly pair ''threats'' with ''vulnerabilities'' and ''controls'': threats exploit vulnerabilities to create risk; controls reduce either the likelihood of exploitation or the impact if exploitation occurs. Identifying ''multiple sources which can harm systems'' is essentially threat identification---an early and ongoing step in risk management used to inform security architecture, monitoring, and incident preparedness. Therefore, the correct concept is threat.

Digital Rights Management is a set of technical mechanisms used to enforce the permitted uses of digital content after it has been delivered to a user or device. Its primary purpose is to control how copyrighted works are accessed and used, including restricting copying, printing, screen capture, forwarding, offline use, device limits, and redistribution. DRM systems commonly apply encryption to content and then rely on a licensing and policy enforcement component that checks whether a user or device has the right to open the content and under what conditions. These conditions can include time-based access (expiry), geographic limitations, subscription status, concurrent use limits, or restrictions on modification and export.

This aligns precisely with option B because DRM is fundamentally about usage control of copyrighted digital works, such as music, movies, e-books, software, and protected media streams. In cybersecurity documentation, DRM is often discussed alongside content protection, anti-piracy measures, and license compliance. It differs from general access control and audit logging: access control determines who may enter a system or open a resource, while auditing records actions for accountability. DRM extends beyond simple access by enforcing what a legitimate user can do with the content once accessed.

Option A describes audit logging, option C describes general authorization and data access control, and option D is closer to broad information rights management goals but is less precise than the standard definition focused on controlling use and distribution of copyrighted works.