Governance, Risk, and Compliance (GRC) Problem-Solving and Analytical Questions

1. You have a container of 100 liters filled with a solution at a 10% concentration of substance A. If you remove 10 liters of the solution and replace it with pure water, what is the new concentration of substance A in the container?

2. A company experiences a data breach that exposes the personal information of 1,000 customers. If the average cost of mitigation per customer is estimated at $200, what is the total estimated financial impact on the company?

3. An organization is assessing its risk levels on a scale of 1 to 10 for various compliance areas. If the total score for five areas is 35, what is the average risk score across those areas?

4. You’re tasked with prioritizing vulnerabilities based on their impact and likelihood. If a vulnerability has a likelihood rating of 4 (on a scale of 1-5) and an impact rating of 5, how would you calculate its risk score if the formula is: Risk Score = Likelihood x Impact?

5. A security team finds that 70% of the alerts generated by their monitoring system are false positives. If they receive 1,000 alerts in a week, how many of those alerts should they investigate to ensure they are not missing true positives?

6. You are reviewing a compliance report that lists 50 different compliance requirements. If 10% of them are flagged as issues needing remediation, how many requirements need to be addressed?

7. An organization has identified 300 high-risk assets in its environment. If 60% of these assets are not compliant with security policies, how many assets are in compliance?

8. Your company has a compliance requirement to encrypt 90% of its sensitive data. If you currently have 1,000 sensitive records and 650 of them are encrypted, what percentage of your sensitive data still needs to be encrypted to meet the compliance requirement?

9. A cybersecurity policy requires that no more than 5% of employees should have access to sensitive data. If there are 200 employees in total, how many employees can have access without breaching the policy?

10. You are managing risk assessments for three projects with risk ratings of 8, 3, and 5, respectively, on a scale of 1 to 10. What is the average risk rating for all three projects, and what does this indicate about the overall risk profile?