ソーシャル エンジニアリング演習は、フィッシング、ベイティング、プリテキスティング、または見返りなど、人間の脆弱性を悪用する実際の攻撃のシミュレーションです。ソーシャル エンジニアリング演習を実施すると、従業員のそのような攻撃に対する脆弱性、セキュリティ ポリシーと手順に関する認識、およびインシデントへの対応を測定することで、人間の脆弱性によるデータ損失に関連するリスクを評価するのに役立ちます。パスワード変更履歴の確認、定期的なアクセス再認証の実行、およびセキュリティ認識調査の結果の確認も役立ちますが、ソーシャル エンジニアリング攻撃に対する従業員の行動と回復力を直接テストするものではありません。

Explanation/Reference:
Explanation:
The potential choices of risk based decisions are represented in decision tree analysis via. Decision node, as decision nodes refers to the available choices.
Incorrect Answers:
A: End nodes are the final outcomes of the entire decision tree framework, especially in multilayered decision-making situations.
B: Root nodes represent the start of a decision tree.
C: Event nodes represents the possible uncertain outcomes of the decision, and not the available choices.

Section: Volume D

A control is an action or measure that reduces the likelihood or impact of a risk to an acceptable level.
Controls can be classified into different types based on their purpose or function, such as detective, compensating, corrective, or preventive. Performing a background check on a new employee candidate before hiring is an example of a preventive control. A preventive control is a control that aims to prevent the occurrence or manifestation of a risk, such as by avoiding, removing, or reducing the risk sources, causes, or drivers. A background check is a process that verifies the identity, qualifications, and history of a potential employee, and helps to ensure that the employee is suitable and trustworthy for the job. A background check can prevent the risk of hiring an unqualified, fraudulent, or malicious employee, who could compromise the performance, security, or compliance of the enterprise. The other options are not examples of preventive controls, as they involve different types of controls:
* A detective control is a control that aims to detect the occurrence or manifestation of a risk, such as by monitoring, measuring, or reporting the risk events, indicators, or outcomes. An example of a detective control is a log review, which is a process that analyzes the records of the activities or transactions on the IT systems or applications, and helps to identify any anomalies, errors, or violations that could indicate a risk.
* A compensating control is a control that aims to compensate for the weakness or deficiency of another control, such as by providing an alternative or additional level of protection or assurance. An example of a compensating control is a firewall, which is a device or software that filters the network traffic and blocks the unauthorized or malicious access to the IT systems or applications, and helps to compensate for the lack or failure of other security controls, such as encryption, authentication, or authorization.
* A corrective control is a control that aims to correct the occurrence or manifestation of a risk, such as by restoring, repairing, or improving the affected assets, processes, or functions. An example of a corrective control is a backup, which is a copy or replica of the data or information on the IT systems or applications, and helps to correct the loss or damage of the data or information due to a risk, such as a hardware failure, a software error, or a cyberattack. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.3.3.1, pp. 62-63.