Skip to content

Chapter 15 Quiz: Resilience, Tabletops, and Continuous Learning

Test your knowledge of resilience engineering, tabletop exercises, purple team operations, and the continuous improvement cycle.

Questions

1. Which of the four cornerstones of resilience engineering involves the ability to recognize early warning signs before a significant incident occurs?

  • A) Absorb
  • B) Adapt
  • C) Anticipate
  • D) Restore
Answer

C — Anticipate

The four cornerstones are: Anticipate (recognize early warnings), Absorb (withstand disruption), Adapt (modify behavior under stress), Restore (return to normal operations). Anticipation is the proactive/leading indicator function.

2. A tabletop exercise is conducted where only the IR team and CISO attend. Which critical stakeholder group is most commonly overlooked in tabletop exercises?

  • A) IT operations
  • B) Legal and compliance
  • C) External vendors
  • D) Board members
Answer

B — Legal and compliance

Legal and compliance are frequently overlooked in tabletop exercises despite being critical for regulatory notification decisions, ransom payment considerations, and legal privilege questions during incidents. IT ops (A) is usually included. Vendors (C) and board (D) are less essential for operational exercises.

3. What distinguishes a purple team exercise from a traditional red team assessment?

  • A) Purple teams use real threat actor tools; red teams do not
  • B) Purple teams involve collaboration between offense and defense, with defenders observing attacks and tuning in real-time
  • C) Purple teams focus exclusively on social engineering
  • D) Red teams report to the CISO; purple teams report to the board
Answer

B — Purple teams involve collaboration between offense and defense, with defenders observing attacks and tuning in real-time

Purple team exercises are collaborative: the red team (offense) executes techniques while the blue team (defense) observes and tunes detection in real time. Traditional red teams operate covertly without coordination with the blue team, testing detection capability without assistance.

4. In a tabletop exercise, which technique is used to add new information mid-scenario to increase complexity or test team decision-making under changing conditions?

  • A) Hotwash
  • B) After-action review
  • C) Inject
  • D) Scope expansion
Answer

C — Inject

An inject is a piece of new information introduced during a tabletop to advance the scenario, add complexity, or test a specific decision point. Example: "Breaking news: a ransomware variant affecting your industry was just published by CISA." A hotwash is the immediate debrief after an exercise.

5. Which lesson quality issue is described by: "Our backups worked" versus "We tested restoration from backup within 4 hours for a 2TB dataset — this met our RTO."?

  • A) The first is a vague/poor lesson; the second is specific and measurable
  • B) The first is more actionable; the second is over-detailed
  • C) Both are equivalent in quality
  • D) The first demonstrates resilience; the second does not add value
Answer

A — The first is a vague/poor lesson; the second is specific and measurable

A poor lesson states a vague outcome without context ("backups worked"). A good lesson includes specifics: what was tested, under what conditions, what the result was, and whether it met the objective. Specificity makes lessons repeatable and validatable.

6. The PDCA cycle for continuous improvement in security operations stands for:

  • A) Plan, Deploy, Check, Archive
  • B) Plan, Do, Check, Act
  • C) Prepare, Detect, Contain, Analyze
  • D) Prioritize, Develop, Confirm, Automate
Answer

B — Plan, Do, Check, Act

PDCA (Deming cycle): Plan (identify improvement and plan change), Do (implement on small scale), Check (measure results vs. expectations), Act (standardize if successful, or adjust and repeat). This is the foundation of continuous quality improvement.

7. A post-incident review identifies that detection failed because the EDR agent was not deployed on 23% of endpoints. The lesson documented is: "Deploy EDR to all endpoints." A better lesson would be:

  • A) "EDR agent deployment gap caused detection failure; implement automated deployment verification dashboard with ≥98% coverage SLA."
  • B) "EDR is not sufficient; also deploy NDR."
  • C) "EDR deployment is IT's responsibility, not the SOC's."
  • D) "Accept the gap as a known risk."
Answer

A — "EDR agent deployment gap caused detection failure; implement automated deployment verification dashboard with ≥98% coverage SLA."

A good lesson identifies the root cause, the specific gap, and a measurable remediation with an owner and success criteria. Option A adds specificity (root cause, metric, mechanism). The original lesson ("deploy to all endpoints") lacks a success metric, owner, and verification mechanism.

8. Which resilience cornerstone most directly describes a SOC's ability to handle 3× normal alert volume during a major incident without complete operational failure?

  • A) Anticipate
  • B) Absorb
  • C) Adapt
  • D) Restore
Answer

B — Absorb

Absorb is the ability to withstand disruption and maintain operations under stress. Handling surge alert volume without complete failure is an absorption capability. Adapt refers to changing processes under stress; Restore refers to returning to normal after disruption.

9. Which of the following is NOT a valid tabletop scenario category?

  • A) Business disruption scenario
  • B) Nation-state intrusion scenario
  • C) Vendor breach affecting the organization
  • D) Penetration test without defender knowledge
Answer

D — Penetration test without defender knowledge

A penetration test without defender knowledge is a red team exercise, not a tabletop. Tabletops are discussion-based scenarios. Business disruption (A), nation-state scenarios (B), and vendor breach scenarios (C) are all valid tabletop categories.

10. After completing a purple team exercise, the detection team finds that Pass-the-Hash (T1550.002) attacks are not detected. What should be their first response?

  • A) Accept the gap as low priority since PtH is a legacy technique
  • B) Immediately block all NTLM authentication
  • C) Document the gap in the detection backlog, develop a detection rule, test against synthetic data, and deploy via change control
  • D) Report the gap to the CISO and await further instructions before acting
Answer

C — Document the gap in the detection backlog, develop a detection rule, test against synthetic data, and deploy via change control

The detection engineering response to a coverage gap found in purple team is: document → develop detection → test (synthetic TP/TN data) → peer review → stage → promote via change control. Blocking all NTLM (B) would disrupt operations. Waiting for the CISO (D) delays remediation unnecessarily.

Scoring

Score Performance
9–10 Expert — Advanced understanding of resilience and improvement cycles
7–8 Proficient — Ready to design tabletops and lead improvement processes
5–6 Developing — Review Chapter 15 resilience cornerstones and lesson quality sections
<5 Foundational — Re-read Chapter 15 before completing the benchmark assessment

Return to Chapter 15 | Back to Index

Congratulations!

You've completed all 15 chapter quizzes. You're ready to:

  1. Complete the self-assessment workbookSelf-Assessment Guide
  2. Run a full benchmark assessmentHow to Use This Benchmark
  3. Build your improvement roadmapFindings Template