CISSP Question #290: Real Exam Question with Answer & Explanation

The correct answer is A: Risk versus benefit. When web application developers construct error messages, they must strike a balance between how much information is provided to the user versus the security risks involved in revealing too much. Error messages should provide enough information for users to understand what went w

Submitted by noor.lb· Mar 5, 2026Software Development Security

Question

What balance MUST be considered when web application developers determine how informative application error messages should be constructed?

Options

ARisk versus benefit
BAvailability versus auditability
CConfidentiality versus integrity
DPerformance versus user satisfaction

Explanation

When web application developers construct error messages, they must strike a balance between how much information is provided to the user versus the security risks involved in revealing too much. Error messages should provide enough information for users to understand what went wrong, but not so much that it gives attackers useful details about the internal workings of the application (e.g., stack traces, database queries, or system paths).

Topics

#secure software development#error handling#information disclosure#risk assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice Browse All CISSP Questions