'Discoverability' is generally associated with the **STRIDE** threat modeling framework. STRIDE is used to categorize various types of security threats, including Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Discoverability relates to the ability of an attacker to find and exploit these threats, typically under the category of Information Disclosure. So the correct answer is: **a.

The document type that provides high-level security policy is c. Policy. Policies outline the overall intentions and direction of an organization regarding security, serving as a framework for the establishment of standards and procedures.

In quantitative risk analysis, ARO stands for **Annual Rate of Occurrence**. Therefore, the correct answer is: b. Annual Rate of Occurrence

The correct answer is: c. Residual risk. Residual risk refers to the amount of risk that remains after risk management measures have been applied.

c. Transfer Transferring risk involves shifting the responsibility or impact of the risk to a third party, often through means like insurance or outsourcing.

The organization that provides COBIT 5 standards is **b. ISACA**.

a. Trojan Horse A Trojan Horse is a type of malware that disguises itself as legitimate software to deceive users into executing it. Once activated, it can perform various malicious actions on the infected system.

d. Network Segmentation While network segmentation can be an important aspect of IT infrastructure and security, it is not typically a direct component of a Business Continuity Plan (BCP). The other options (IT Contingency Plan, Risk Assessment, and Vital Records Program) are commonly included in a BCP to ensure that an organization can continue to operate during and after a disruptive event.

In qualitative risk assessment, 'E' typically stands for **Extreme**. This indicates a high level of risk that requires immediate attention and action. So the correct answer is: c. Extreme

The main goal of 'Defense in Depth' is **b. Provide multiple layers of security**. This approach involves implementing various security measures at different levels to protect information and systems more effectively.

c. Online installations A 'Click-through license' is commonly found in online installations, where users must agree to the terms of the license by clicking a button before they can proceed with the installation or use of the software.

The first step in threat modeling is **c. Identify scope**. This involves determining what assets, systems, or applications you are focusing on, which is crucial for identifying potential threats and vulnerabilities later in the process.

The correct answer is: **c. Align security with business objectives**. The Chief Information Security Officer (CISO) is responsible for the overall security strategy and implementation within an organization, ensuring that security measures align with business goals and objectives, managing risks, and leading efforts to protect the company’s information assets.

The correct answer is **c. Shrink-wrap license**. This type of license is associated with software that is packaged in a way that indicates agreement to the license terms is granted when the package is opened.

The correct answer is **c. Technical**. Technical controls are primarily logical and software-based, involving protection mechanisms implemented through technology, such as encryption, firewalls, and intrusion detection systems.

c. Social Engineering

The correct answer is: **b. Behavioral expectation to act responsibly**. "Due care" refers to the level of judgment, attention, and responsibility that one is expected to exercise in a particular situation. In a legal and ethical context, it often pertains to the obligation to ensure that actions taken and decisions made do not cause harm to others.

b. An employee clicking a phishing link A threat actor refers to an individual or entity that poses a threat to an organization's security, typically by engaging in malicious activity. An employee clicking a phishing link can be considered a threat actor, as their action may open the door for potential security breaches. In contrast, a password, antivirus program, and firewall serve protective roles rather than acting as threats.