nerdexam
(ISC)2

CISSP · Question #487

Which of the following is a characteristic of convert security testing?

The correct answer is B. Tests staff knowledge and Implementation of the organization's security policy. Covert security testing (also known as red team or blind testing) is performed without the knowledge of staff to evaluate how employees respond to real-world attack scenarios and whether they follow security policies.

Submitted by miguelv· Mar 5, 2026Security Assessment and Testing

Question

Which of the following is a characteristic of convert security testing?

Options

  • AInduces less risk than over testing
  • BTests staff knowledge and Implementation of the organization's security policy
  • CFocuses an Identifying vulnerabilities
  • DTests and validates all security controls in the organization

How the community answered

(49 responses)
  • B
    94% (46)
  • C
    4% (2)
  • D
    2% (1)

Why each option

Covert security testing (also known as red team or blind testing) is performed without the knowledge of staff to evaluate how employees respond to real-world attack scenarios and whether they follow security policies.

AInduces less risk than over testing

Inducing less risk than over-testing is not a characteristic of covert testing; in fact, covert tests can introduce operational risk because response teams may react to simulated attacks as if they were real incidents.

BTests staff knowledge and Implementation of the organization's security policyCorrect

Covert testing is specifically designed to be conducted without the awareness of the target staff, which means it authentically evaluates whether employees recognize threats and respond according to the organization's security policy. Because staff are unaware a test is occurring, their reactions reflect genuine compliance with-or deviation from-established security procedures, making policy knowledge and implementation the primary characteristic being assessed.

CFocuses an Identifying vulnerabilities

Focusing on identifying vulnerabilities is characteristic of penetration testing or vulnerability assessments, not specifically covert (blind) security testing, which centers on human and procedural responses rather than technical flaw discovery.

DTests and validates all security controls in the organization

Testing and validating all security controls describes a comprehensive security audit or full-scope assessment, not covert testing, which is scoped to evaluate staff awareness and behavioral responses without their knowledge.

Concept tested: Characteristics and purpose of covert security testing

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#Security testing#Covert testing#Social engineering#Policy compliance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice