Internal Auditing Standards and Practices – Cybersecurity Practice Test

A well-rounded cybersecurity test relies on a mix of sampling approaches to capture both the presence of security controls and the extent of issues, plus the ability to uncover unknown weaknesses. Attribute, variable, and discovery sampling together give a complete picture.

Attribute sampling checks for a yes/no security property on items you’re examining. For example, you might test whether critical patches are applied on each host or whether MFA is enabled on user accounts. This tells you how many assets meet the control and helps determine compliance gaps or misconfigurations.

Variable sampling looks at quantitative measures. In security testing, you might tally the number of vulnerabilities found per system, measure time-to-patch, or quantify the severity distribution of findings. This provides insight into the magnitude and distribution of risk, not just whether a control exists.

Discovery sampling is used to find things you didn’t necessarily target in advance—like unknown services, new devices on the network, misconfigurations, or risky exposure surfaces. It helps reveal issues that predefined tests might miss, expanding the scope to catch hidden risks.

Applying these together means planning with a risk-based mindset: define objectives, choose how many items to sample and how to select them (randomization, stratification across assets or networks), and specify how results will be interpreted for each sampling type. For attribute tests, use acceptance criteria to decide if controls are in place; for variable tests, use quantitative thresholds and confidence intervals; for discovery tests, conduct exploratory scans and follow up on any newly identified findings.

Choosing only random or only systematic sampling would miss either the need to quantify issues or to discover unknown risks, and saying no sampling is permissible runs counter to practical, effective testing. Sampling is essential to efficiently and comprehensively assess cybersecurity posture.