CCT 331: AI And Cyber Insurance Risk & CISSP Deep Dive Questions (Domain 1)

Show Notes

 Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

AI is starting to change cybersecurity budgets in a surprising place: cyber insurance premiums. We dig into why insurers now care about how you use AI, how “more automation” can still mean “more risk,” and what it looks like when AI expands your attack surface through new APIs, sensitive data exposure, and code that ships with hidden security flaws. If you’re a security leader, risk manager, or CISSP candidate, this is the kind of real-world pressure that turns governance from a buzzword into a business necessity.

From there, we shift into CISSP Question Thursday with Domain 1 practice questions and clear walk-throughs. We cover why discretionary access control matches a data classification model where data owners set permissions, how to use the CIA triad as a risk-based decision tool (especially for e-commerce where availability equals revenue), and a clean distinction between due diligence and due care that you can use in audits, interviews, and exam answers.

We also tackle a scenario every organisation faces: cloud outsourcing and accountability. Even with a contract, you can’t fully transfer liability for protected customer data, and regulators still expect you to manage compliance, vendor risk, and controls. We close with a governance lesson on why awareness training must evolve with the threat landscape, including modern social engineering like deepfake-driven attacks. Subscribe, share this with a friend studying CISSP, and leave a review or comment with the hardest Domain 1 concept you’re trying to master.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And What To Expect
• 1:05: AI Use Changes Cyber Insurance
• 5:52: CISSP Study Resources And Mentorship
• 6:51: Q1 Data Classification And DAC
• 10:09: Q2 DoS Versus Data Exfiltration Priority
• 14:08: Q3 Due Diligence Versus Due Care
• 17:12: Q4 Cloud Outsourcing And Liability
• 21:55: Q5 Outdated Awareness Training Governance Gap
• 25:35: Study Mindset And Manager Approach
• 26:13: Wrap Up And Where To Subscribe

Transcript

Welcome And What To Expect

SPEAKER_00 0:00

Welcome to the CISP Cyber Training. We might be training and CISP. I'm my name is Sean Gerber. I'm your host. Join me because I provide the information you need. CISP exam and roll your cyber checker in the light.

AI Use Changes Cyber Insurance

CISSP Study Resources And Mentorship

Q1 Data Classification And DAC

Q2 DoS Versus Data Exfiltration Priority

Q3 Due Diligence Versus Due Care

Q4 Cloud Outsourcing And Liability

Q5 Outdated Awareness Training Governance Gap

Study Mindset And Manager Approach

Wrap Up And Where To Subscribe

SPEAKER_01 0:25

Hey Long Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Thursday, and today we are going to be talking about it's CISSP question Thursday, and we are going to be talking about the various questions related to the CISSP exam. They'll be over domain one for today. But as you guys probably can tell, yeah, I have a bit of a actually just allergies. It's not a cold, it's just allergies, and I am struggling a little bit. So it's you're gonna get what you get. Sorry, I wish it was better, but unfortunately, uh body isn't helping out any. So we are if if I'm struggling there, forgive me. We're we'll do our best to get through this. But uh I kind of wanted to go over before we get into those questions an article that I saw in CSO magazine related to the AI use. Um I I keep bringing this up because I see it becoming a bigger factor for cybersecurity professionals that are in this, that are dealing with cybersecurity for most companies because of the fact that it's such a such a new topic. And because it's new, it's just there's a lot of people don't really know how to deal with it. So this article came out of there where it's talking about AI is using is changing how much companies pay for cyber insurance. Now, this the interesting part in all this is that as people utilize AI within their companies, uh, that's going to become something that you're gonna have to work through. And cyber insurance is a big factor in that. So a lot of people would think, well, if I'm putting AI within my company, especially within the security space, that could be a really great thing as it relates to helping us make our company stronger and reduce the insurance risk requirements to our company. Both of those uh are true, but they're also there's a flip side of this of going as you incorporate a new technology that is relatively untested, it does potentially open you up for more risk. One of the parts of this article that is interesting from Andrata Fishun, I don't know how to say that, but but the bottom line is that there was McDonald's in 2025 had an unexpected problem on their menu. It allowed you to put in the basically one, two, three, four, five, six for the username and for the password. And the reason this happened was because AI had developed their software. And as this security level, the security issue occurred, people started asking questions wait a minute, we're allowing the AI to do this development work. Are we incorporating more risk within our company than we actually need? So, some key takeaways out of this article that I feel are pretty strong and important. One is AI usage is becoming a factor in cybersecurity or cyber insurance pricing. And insurance providers are starting to evaluate how the companies will use AI when calculating premiums. So if an A, if your company is deploying AI, you could face higher premiums or additional scrutiny because AI induces risk, which is an interesting part. It really truly is. Uh, AI increases the attack surface. So, as you're dealing with potentially more vulnerabilities based on what AI code development is creating, uh, is that going to create a bigger problem for you and your organization? So, exposure of sensitive data, new APIs that are being created, and then potentially AI generated code that would introduce security flaws as well. So it's really hard to say how this is all. I mean, obviously we don't know how it's going to play out, but the important part is as you're looking to deploy AI within your company, you may want to consider these topics before you do, or just at least have everybody aware that uh with their eyes wide open as they go into this. Uh, the third thing that they pulled out of this article was AI can also reduce premiums in some cases. So basically by having threat detection, monitoring, and incident response all automated through AI, it could reduce your overall cost for the or reduce your premiums, at least for the insurance piece of this. And then the fourth one is insurers are asking more detailed questions. So if you have AI within your company, they're asking more questions such as what types of AI tools are being used, governance and risk controls that you may have in place around AI, and then any data protection policies for those AI systems. So you have to have the crossing the T's and dotting the I's, and you need to have all those documented as you do so. And then the last thing is policies and coverages are evolving. So some insurers are adding AI-specific exclusions and or conditions that are related to the overall policy. They're requiring additional controls before issuing any sort of coverage, and then they're reassessing risk models because the AI changes on how the cyber attacks can happen. So if you're looking to put AI within your company or you probably already have it deployed within your company, bring this up to your insurance people and just say, hey, um, we we don't have a problem right now because maybe they're not asking that question. And I wouldn't go forward and basically bring it up unless the insurers are bringing are asking you. But at the same time, you may want to have a good plan for that in the future on how to deploy or how to better mitigate some of these risks that you may be asked from your insurance carriers. So, again, interesting piece on this that you know, AI it people use it everywhere. Do they truly understand how much it could impact their organization, especially from a financial standpoint? So, again, the card articles from Andrada Fischtun Fishtin. Uh, it's from CSO magazine. AI use is changing, how much companies pay for cyber insurance. Okay, so let's get into the CISSP questions for today. You can get all of these CISSP questions at CISSP Cyber Training. You can get access to them as well as all of the other content that is available to you. Uh, there's tons of free content, but there's also a lot of paid, there's some paid content that will help you from a mentorship standpoint and help you understand. One, just getting through and passing the test is the first phase. You really need at that point is the mentorship and coaching piece, which is an extremely extremely important part in your overall cybersecurity plan. Um, I can't stress it enough. Having that ability to meet with a cybersecurity professional who's done it is going to be extremely valuable and important because when it comes to even negotiating your salary, having an insight would be I I wish I would have had it, honestly. I didn't have that at the time, but having somebody you can talk to to help you through that would be a big, big uh win. Check that out at CISSP Cyber Training. Okay, question one. An organization is implementing a new data classification policy. The chief information security officer wants to ensure that the data owners, not the IT department, have the primary responsibility for determining how the data should be protected. Which security model best aligns with this governance philosophy? Okay, so the CISO wants to have data owners, not the IT department, have the responsibility to determine how the data should be protected. Which makes sense, right? Because you want them to know it, because if it's their data, they're the ones that understand it, so you want them to understand and be responsible for how it's protected. So let's go through some of these answers. Mandatory access controls, this is where the system enforces classification assigned by a central authority. B discretionary access controls, where data owners define access permissions for their resources. C, role-based access controls, where the access rights are assigned based on job function. Or D rule-based access controls, where the access is governed by system-wide rules set by the administrator. Okay, so we're gonna try to go through the ones that we know are not correct. So rule-based access controls, where access is governed by the system-wide rules set by the administrator. So if the questions asking related to the data owners, then anything that is system wide, you would want to throw out because they are wanting specifically the owners to have this, not uh some other large larger entity. Rule-based access controls are back where access rights are assigned based on job function. Okay, so job function may be valuable if all of the data is in one specific job person. You know, one function has it, that would be valuable, that could work. However, in most cases, the data itself is pretty scattered and pretty sporadic, and not it's not under just one job function typically. So that one would most likely not be the correct answer because of that specific reason, is that it's not the jobs are much more open. So you might want to bite off on that one and think, oh, hey, I could do that one because it's it's role-based, right? And that would be very I'd say it'd be fine, but let's look at let's take an engineering department for an example. If you have a, like my son has a he's part of an engineering department for an HVAC company. If you have one group that's focused specifically on heating and air, that's fine. And maybe that's their job function, and that they have a small shop. But let's also say you have heating, air, and you have other uh mechanical systems, and you have multiple job entities that are dealing with this. So most likely that role wouldn't be under all of those people would have the same role. All of those people would have different roles based on the need of their organization. So in that space, you most likely would not want to use role-based access controls. A is the mandatory access controls. This is where system enforces classifications signed by a central authority. Again, central authority versus system wide, very similar concept. You wouldn't want to use that just because uh it's not having the data owners uh owning, it's somebody else. The real answer, the correct answer, is discretionary access controls where data owners define access permissions for their resources. Question two During a security assessment, a consultant discovers that an organization's incident response team treats a denial of service attack against a public facing website as a lower priority event than a minor data exfiltration from an internal system. The organization's primary revenue source is e-commerce. Which foundational security concept best explains why this prioritization may be incorrect? Okay, so the denial of service against a public-facing website. They are an e-commerce company, uh, and they had a minor data exfiltration, but the security assessment team did not or the team did not address it correctly. A, availability is the most critical CIA component for the organization dependent upon continuous online operations, and its impact should be weighed accordingly to the risk decisions. B, the CIA triad demands equal weighting of confidentiality, integrity, and availability for all assets. C. Integrity must always be prioritized over availability because the data corruption causes an irreversible harm, or D confidentiality supersedes availability in most risk frameworks because the regulatory penalties for data breaches far exceed revenue losses from downtime. Okay, so all of these things sound great, right? And there's also a lot of big words in here, but let's just break down the question. So the question is you break it down, it comes into again, we talked about denial of service, we talk about a uh potential data loss from a site, and then somebody utilizing potentially put doing the wrong direction here on what do they spend their time on. And the company's an e-commerce site. So if it's an e-commerce site, they need to make money, and they make money when the site site is up and operational. Now, data exfiltration is bad, but that's not where they make their money is from a well, I mean maybe they make their money from data, but let's just say they don't. Um, that's a situation where you have to kind of play it out. So let's go through the ones that are not correct. Confidentiality supersedes availability in most risk frameworks because regulatory penalties for data breaches far exceed revenue losses from downtime. Now, this is the risk base of this. You're gonna have to take this approach. You know that you may have a minor date minor data exfiltration. Minor, that's a key factor there. So you don't want stuff to leave, but that is not the most important thing in your organization. It's the keeping your company up. So D would not be correct because, again, it's important, but it's not the most important thing within your company, and therefore I would not use that. And so that's that's the question is wrong, or that the answer is wrong there. Integrity must always be prioritized over availability because data corruption causes irreversible harm. Uh so integrity is an important part of all of this, but the data corruption piece of this really wasn't part of the question, so it that one would be thrown out. C, the CIA triad demands equal weighting of confidentiality, integrity, availability for all assets. Now, that's not true because it is important for all assets, but it's not equally weighted. It is dependent upon the overall situation and how you need to deal with it. Uh so in this situation, you want availability more than anything else because you need to keep your site up and going. So, availability A is the most critical CIA component for an organization, depending on continuous online operations and its impact, should be weighted accordingly in risk decisions. So the question comes into is if you had a massive public departure of data, right? So you had all this data that was exfiltrated, that would take a different approach potentially, even on an e-commerce site, because of the breach issues that roll with it and the potential legal ramifications. However, it stated it was minor, so it would take a backseat or a secondary thing to this overall question. So think about that when you're answering it. Break down the question line by line and see what they're specifically asking you for. All right, next question. A security manager is developing a due care and due diligence framework for senior leadership. She explains that both concepts are essential to demonstrating legal and ethical responsibility. Which of the following most accurately distinguishes due diligence from due care in an information security concept? Okay, so now you got it basically comes down to this security manager is hung upon due care and due diligence, which I say is not bad, it's good, that's good. They're doing that. Um, and they want to help explain this to senior leadership. So she says that they're essential to demonstrating legal and ethical responsibility, which is the most accurately displays due diligence from due care. So due diligence from due care, and then that's let's talk about it. Okay, so A, due diligence refers to an ongoing practice of applying security controls while due care refers to the initial research phase before implementing security measures. B, due care and due diligence are legally synonymous. The distinction is only relevant in academic contexts. C. Due diligence is the act of researching and understanding and best practices, while due care is the act of implementing reasonable measures to protect assets based on knowledge, or D, due diligence applies only to third-party vendor assessments, while due care governs internal security operations. Okay, so let's talk through these. Which ones are not correct? So let's go with the ones that are the easy ones that are not correct. So due care and due diligence are legally synonymous. I would say they're used synonymously in many ways, but they are not legally synonymous. The distinction is only relevant in academic context. That is not true. Okay, so we know due care and due diligence are very different. Um, and we're gonna explain those in just a minute. But the point of it is they are not legally synonymous. So B would be thrown out. A, due diligence refers to ongoing practice of applying security controls, while due care refers to the initial research phase before implementing and the security measures. Okay, so that is the flipped, right? So when you're dealing with due diligence, that is the research piece of this. The due care of it is when you're actually putting measures in place to protect the organization and the assets that are under its tutelage or umbrella. Uh this go D. Due diligence applies only to third-party vendor assessments, while due care governs internal operations. Okay, so due diligence should occur with all things, whether it's internal or external. And the same with due care. You want to make sure that if you had a third-party vendor assessment, you are picking the right third party. So you would do due care to make sure that you have reasonable measures in place to protect yourself from them and you from from you from them and them from you. That's the point of that. So the real answer here, the correct answer is C. Due diligence is the act of researching and understanding risks and best practices. So that's the due diligence. While due care is the active implementation of reasonable measures to protect assets based on knowledge. Okay, so due care is researching and understanding the overall risks. Do care is implementing reasonable measures. All right. So this move on to the next question. A large financial institution outsources its cloud data storage to a third party provider. A regulate regulatory audit finds that the institution is liable for a data breach that originated from the misconfiguration of a cloud provider's environment. Typical. The institution's legal team argues that they transferred risk to the cloud provider via a contract. Which of the following best explains why the institution remains liable? Okay, so you have a large financial institution and it moved its uh cloud data storage to a third-party provider. The regulatory audit comes in and says there's they're liable for a data breach that originated because of a misconfiguration cloud provider's environment. So the cloud provider goofed up and something's wrong with them, and so therefore there's a misconfiguration, so that's how the data breach happened. The institution's legal team argues they bet they transferred risk. Okay, so we talk about risk and how do we deal with that? They transferred the risk to a cloud provider via a contract. Okay, so that they're saying that because they wrote something on paper, that it's not our problem, it's the cloud provider's problem. Which of the following best explains why the institution still remains liable? A risk transference through a contract eliminates legal liability entirely, so the audit finding is invalid. Okay, we will come to that. B, the institution should have used risk avoidance instead of risk transference to eliminate this exposure. C, cloud providers are always solely liable for breaches originating in their infrastructure under international data protection regulations. Or D, liability of protected customer data cannot be fully transferred. The organization remains ultimately accountable for regulatory compliance even when operational responsibility is outsourced. Okay, so big words, lots of words. What does this mean? So let's go to the ones that are wrong. Risk transference through contract eliminates legal liability entirely. So audit team finding is invalid. You're never that situation where, unless you've you're just not. You just can't. Even if you moved all your data to them, but you still are the voice or the face for that data, uh, you can't do that. You will be liable in some form or fashion. So, and again, I'm not a lawyer, so don't take this as lawyer advice, but this is stuff I've run into as a CISO for a very large multinational and also being in the security space for over 20 years. Um, that's a big factor right there. So you can't transfer, eliminate all your legal liability. B, institutions could have used risk avoidance instead of risk transference to eliminate the exposure. Okay, so this is partially right. So they should have used risk avoidance in some respects, put some controls in place to mitigate some of that risk and to avoid some of the risk that they have. They could have done different things potentially to do that, uh, but they decided to say, I'm risk transferring all of my stuff over to you, so therefore the risk is all in your bucket. That was just a poor thought process that was filed figured out when they put this in place. They did not do this correctly. See, the cloud providers are always solely responsible for breaches originating their infrastructure under international data protection regulations. Okay, so that I don't know of an international data protection that says that. Uh it does not that I'm aware of, but are the cool cloud providers responsible? Yes. Will they be liable? Yes. But are they solely liable? No, because it originated from you. You brought the data in, you passed it on to them. Uh and I would say a lot of times these the misconfigurations with clouds may not even happen with the cloud provider. It may have been you modifying your GCP or AWS environment that actually caused a breach as well. So, yeah, the moment you move to a cloud provider, that does not absolve you from any sort of legal liability. So the answer is D. Liability for protecting customer data cannot be fully transferred. The organization retains ultimate accountability for regulatory compliance, even when operational responsibility is outsourced. So I outs I outsourced a lot of operational responsibility, but I also did due diligence on that company, and I put in due care to make sure that I had controls in place that if data was lost or data was mishandled, I had mechanisms to do that. Both from a contractual aspect, so we would add contract language that would specifically say that they'd be held reliable, as well as I put in place technical controls to help me understand and mitigate. I also was involved in how some of the technical controls they put in with their different these third parties to better understand how my data is being protected. So a lot of stuff there, but break it down into the fact that you cannot fully get out of any sort of risk when it comes to these aspects. You are going to be having some level of risk involved. An organization's security policy requires that all employees complete annual security awareness. Training. The policy was approved by the board of directors five years ago and has not been revised. The CISO is preparing for an audit and realizes the training content does not address current social engineering threats, such as deep fake-based vision attacks. From a governance perspective, which failure most directly could contribute to this gap? Okay, so they have an annual security awareness training. Okay, they have that set up. The policy was approved by the board of directors five years ago. So it was approved, but it was a long time ago and has not been revised. So what does that mean? Well, the C Sale's probably not doing its job, he or she. Uh and so there, but he the he or she is preparing for an audit and realizes, oh poo, this has not been done. What do I do? So from a government perspective, which failure most directly contributed to this gap? Alright, so A lack of security culture because employees who attended annual training should have self-reported this merging threat. Okay, so they should have stood up and said, Hey, we have a problem. B, failure to apply continuous monitoring controls on the organizational threat landscape and update policies accordingly. C. The board of directors failed to perform due care not by not attending the security training themselves, or D the organization relied on preventive controls training when a detective control could have been more effectively used against the fishing. Okay. So what one is it? So let's break these down into ones that are not correct again. A the organization relied on a preventive control training when detective controls would have been more effective against fishing. So if you had fishing within your organization, you maybe you don't have it. Maybe it's just a thing that's hitting organizations like you. So you really couldn't have a detective control about that. And still it comes down to even if you did have a detective control that would help you prevent or even uh highlight some of these fishing attacks, the the actual as aspect that's going to be an important part in this is the fact that you have no way of bringing that, you don't have a process to bring that to people's attention. So that it doesn't really help. So you need a process by which people are going to understand the threats and how they would help modify the policies. See, the board of directors failed to perform due care by not attending security training themselves. Okay, so they maybe they didn't, and maybe that's a failure on their part. But it's not their responsibility, it's the CSEO's responsibility to do this, not theirs. So they he he or she should have been bringing this information up to them way before the five-year mark and gone to the board and saying, This is our training and these are some of the gaps, we need to make some changes to it. That is what potentially happened there. A, the lack of security culture because employees who attend annual training should have been self-reporting emerging threats. Okay, so I have will tell you I can count on my hand, on one hand, how many of my the folks that I have provided training to in the past that have brought up threats that they thought we should have in our training that we don't. And the reason I say that is because they are good at their job. I should be good at my job. Now, that doesn't mean they shouldn't provide feedback, they should as much as they possibly can, but it's not really their core competency to be able to do that. So you should not rely on people to do that. So that's why that's that question is just bunk. It's not right at all. So the real question or the right question is failure to apply continuous monitoring controls to the organization's threat landscape. So you don't know what the threat is coming against you, and update the policies accordingly. So you don't know what the threat is, and you're not updating your policies, which is obvious after five years, you didn't update them at all. So intelligence is important, and then being fully engulfed and engaged with your overall uh policies and governance process isn't the next step. So again, you can see these questions as you study for the CISSP, make sure that you take your time. I know you have limited time to take the test, but you're better off taking your time on especially some of these larger questions that have bigger words in them to walk through line by line by line, and then from there make decisions on how you should do it. And again, we talk about this. You're making decisions based as a manager, not as a technical representative. There are some technical aspects to the CISSP, but 90% of it is based on the manager piece, and you making decisions based as a manager would. Okay, that's all I have for you today. I hope you guys enjoyed this. Please feel free to come on over to CISSP Cyber Training, get all the free content that I have available. Please like me on YouTube, uh, go out there or should say subscribe. I have lots of stuff that goes out on YouTube as well, so please subscribe to that. And then also please add a comment in the podcast so that you listen to about what you think about the course or what I'm talking about. Hopefully, you're getting value out of it. If a minute minimum, if you're studying for the CISP, I can at least bring you some sort of cybersecurity experience that will help you with you and your career long term. Go check out CISSP Cyber Training and see what we can do to help you with you and your cybersecurity career. Have a great day. We'll talk to you later. Bye. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.