CompTIA SecurityX (CAS-005) — Question 9

A security analyst is investigating a possible insider threat incident that involves the use of an unauthorized USB from a shared account to exfiltrate data. The event did not create an alert. The analyst has confirmed the USB hardware ID is not on the device allow list, but has not yet confirmed the owner of the USB device. Which of the following actions should the analyst take next?

Answer options

• A. Classify the incident as a false positive.
• B. Classify the incident as a false negative.
• C. Classify the incident as a true positive.
• D. Classify the incident as a true negative.

Correct answer: B

Explanation

The correct action is to classify the incident as a false negative because an unauthorized USB was used without generating an alert, indicating a failure in detection. Classifying it as a false positive would imply that an alert was incorrectly triggered, which is not the case here. A true positive would mean the alert was correctly generated for a real incident, and a true negative would suggest no incident occurred, both of which are inaccurate given the circumstances.