Monitoring and recording all failed access attempts is the most effective activity for increasing awareness of cybersecurity risk. A sudden spike in failed logins from a single IP address or against a specific user account is a primary indicator of a potential brute-force or credential stuffing attack. This provides immediate, actionable intelligence about an active threat, allowing security teams to respond proactively by blocking the source or locking the targeted account. This directly addresses a specific attack vector and is a fundamental practice in intrusion detection and security monitoring.

A. ABC should monitor and record every device type used for access.

This is more relevant for asset management or policy enforcement rather than being a direct, real-time indicator of a cyberattack.

B. ABC should monitor and record every out of hours access.

The business operates on a 24/7 basis, so the concept of "out of hours" is not a reliable or meaningful indicator of risk.

D. ABC should monitor and record every keystroke of every user.

This is extremely data-intensive, raises significant privacy concerns, and is inefficient for real-time threat detection compared to monitoring specific security events like failed logins.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5, "Security and Privacy Controls for Information Systems and Organizations."

Reference: Control AC-7, "Unsuccessful Logon Attempts."

Content: This control explicitly requires the system to enforce actions (e.g., locking an account/node) after a specified number of consecutive unsuccessful logon attempts. This underscores the principle that monitoring these attempts is a critical security control for identifying and responding to potential attacks.

2. CIMA Professional Qualification Syllabus, P3 – Risk Management (2019).

Reference: Section B: Enterprise Risk, 2. (c) "Discuss the sources, and impact of, information systems risks..."

Content: The syllabus requires candidates to understand risks related to information systems, including unauthorized access. A key control to manage this risk is monitoring access logs, with a particular focus on anomalies like repeated failed attempts, which is a direct symptom of a potential breach.

3. Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in Computing (5th ed.). Prentice Hall.

Reference: Chapter 4, "Authentication," Section 4.3 "Passwords."

Content: The text discusses password-guessing attacks and countermeasures. It highlights that "a simple countermeasure is to log all failed login attempts... A security administrator can review the log, looking for suspicious patterns." This confirms that monitoring failed attempts is a standard and effective security practice.