How to actually translate what you know into marks. Content you know but answer badly = wasted marks. Content plus technique = the grade you deserve.
Read the command word first โ it tells you what kind of answer is wanted (state, explain, analyse, evaluate). Use structured templates for common question types: attack analysis = CIA + AAA + mechanism + defence; design answer = requirements + threats + architecture + controls + justification. Name specific technologies, laws, and attacks rather than staying generic. Australian context (OAIC, Privacy Act, ACSC Essential Eight, Optus/Medibank) adds marks. Match answer length to mark allocation: ~2 minutes per mark.
19.1 Command Words โ What's Actually Being Asked
Exam questions begin with a command word that determines the depth and type of response expected. Students who answer "define" questions with full essays waste time; students who give one-sentence answers to "evaluate" questions lose marks. Match the response to the command.
Command word
What examiners want
Typical length (per mark)
State / List / Name
A short factual answer. No explanation needed.
A phrase per mark
Define
A precise definition of a term.
One clear sentence per mark
Describe
A factual account of what something is or does. Some detail, no analysis.
A few sentences per 2-3 marks
Explain
Tell why or how. Include causes, mechanisms, reasons.
A short paragraph per 3-4 marks
Compare / Contrast
Give similarities and/or differences between two things. Address both sides.
Structured point-by-point
Analyse
Break the topic into parts, examine relationships, identify causes and consequences. More depth than "explain."
Several structured paragraphs
Evaluate / Assess / Justify
Make a judgement, supported with reasons. Weigh trade-offs. Usually requires a concluding position.
Structured argument; take a side
Discuss
Present multiple viewpoints, arguments for and against. May or may not require a final position.
Balanced structured argument
Design / Propose / Recommend
Create a solution or plan. Justify each design choice.
Structured by the framework in Ch 16
Calculate
Show working. Even if the answer is wrong, correct method earns method marks.
All working visible
BEFORE YOU WRITE ANYTHING: underline the command word and the mark value on the question itself. A "state" worth 2 marks is two quick phrases. An "analyse" worth 8 is a multi-paragraph structured answer. Don't write the wrong shape.
19.2 The 2-Minutes-Per-Mark Rule
A common rule: spend roughly 2 minutes per mark. If you're given a 3-hour exam worth 100 marks, budget ~1.8 minutes per mark. This is a rough guide โ adapt to your exam's specific structure.
Why it matters:
Students frequently over-invest in early questions and run out of time
Last-question marks are usually the easiest marks left on the table โ don't leave them blank
If you're on question 6 and way over time, move on. Come back if time permits.
EXAM TRIAGE: At the start of the exam, glance through everything. Note which questions look easy/hard. Start with the section you're strongest in to build confidence and bank marks. Then tackle the trickier sections. Save the most time-consuming questions for last โ by then your brain has warmed up anyway.
19.3 Structured Templates for Common Question Types
The single biggest upgrade you can make is to use templates for recurring question types. Examiners are looking for specific structural features; writing in that structure makes marks easy to award.
Template 1: "Analyse / explain this attack"
Near-universal structure for attack questions:
Name the attack type (from Chapter 10) โ e.g., phishing, ransomware, MITM, DDoS, SQLi
State what CIA pillar(s) are violated โ Confidentiality, Integrity, Availability (use CIA tags)
Identify the AAA step(s) that failed โ authentication, authorisation, or accounting
Explain the mechanism โ how the attacker actually achieves it, step by step
State the impact โ specific harm to specific people / systems
Recommend defences โ tied directly to the failure modes identified
Even in a 4-mark question, you can compress all six elements into one tight paragraph. That's a structured answer that earns every available mark.
Template 2: "Design a secure system for X"
Use the 5-step framework from Chapter 16:
Requirements โ what the system must do, who the users are, what data is involved
Threats โ likely threat actors, attack vectors, what's most at risk (CIA for each threat)
Architecture โ network zones/segments, where services sit, key devices
Controls โ specific security mechanisms mapped to the threats identified
Justify โ explain why each control addresses which threat; invoke Risk = Likelihood ร Impact
Name specific technologies (WPA3-Enterprise, TLS, MFA, segmentation, least privilege). Reference frameworks (ACSC Essential Eight). Mention Australian legal obligations (Privacy Act + NDB). Each named specific = extra credibility.
Template 3: "Compare A and B"
Use a structured format โ either a tabular comparison or point-by-point text. Don't write two separate paragraphs ("A does this... B does this..."), because you risk missing the actual comparison points. Instead, pick 3-4 dimensions and address both on each:
"Compare TCP and UDP":
Reliability: TCP guarantees delivery; UDP does not
Speed / overhead: TCP slower due to handshake and ACKs; UDP lean and fast
Use cases: TCP for web/email/file transfer; UDP for video/gaming/DNS
When each is preferred: reliability-critical = TCP; latency-critical = UDP
Template 4: "Evaluate / justify a choice"
When asked to evaluate, you MUST take a position. The structure:
State the choice you're recommending
Give 2-3 supporting reasons, each backed with specifics
Acknowledge the main counter-argument or trade-off
Explain why your choice still wins despite the trade-off
Conclude with a clear recommendation
Sitting on the fence ("it depends") earns fewer marks than a clear, well-reasoned position. Even imperfect reasoning in favour of a definite answer usually beats hedging.
19.4 Vocabulary That Earns Marks
Certain phrases signal precise thinking and should feature in your answers. Treat this as your vocabulary checklist:
Topic
Upgrade phrases
Attacks
"violates Confidentiality", "this is a [CIA: Availability] attack", "exploits [specific vulnerability]"
Access control
"principle of least privilege", "role-based access control (RBAC)", "separation of duties", "AuthN vs AuthZ"
Design
"defence in depth", "blast radius", "attack surface", "fail-safe defaults"
"symmetric vs asymmetric", "TLS handshake", "digital signature", "forward secrecy"
Incident response
"dwell time", "blast radius", "eradication vs containment", "lessons learned"
WHY THIS WORKS: Examiners look for signals that you're thinking like a security professional, not like someone who read a textbook once. Using precise technical vocabulary is exactly that signal. "Principle of least privilege" scores higher than "don't give everyone admin." "Violates Confidentiality" scores higher than "someone saw the data."
19.5 Common Mistakes to Avoid
The "generic answer" trap
"Use a firewall and strong passwords" is not a security plan. Every question about defence needs specific technologies for the specific threat. If the attack is phishing, the defences are: MFA, email filtering, user training, DMARC โ not just "firewall and strong passwords."
The "laundry list" trap
Writing a long bullet list of every defence you know, without connecting them to the threat, is padding. Five well-justified controls beat fifteen unconnected ones. Each control should explicitly tie to a threat identified earlier. (cross-reference: Ch 16 design framework โ every control mapped to a specific threat.)
The "absolutes" trap
"HTTPS stops all MITM attacks" โ too absolute. "Encryption makes data impossible to read" โ too absolute. "Backups solve ransomware" โ too absolute. Security is about trade-offs and risk reduction, not total elimination. Soften absolutes with phrases like:
"under normal conditions"
"mitigates but does not eliminate"
"the primary defence"
"significantly reduces the risk"
"typically"
The "vague diagram" trap
Diagrams earn marks only if labelled. A diagram with "router", "switch", "computer" is worth far more than the same diagram without labels. Always:
Label every device and what it does
Show IP ranges/subnets where relevant
Show firewall/border positions
Show data flows with arrows
The "ignoring the Australian context" trap
Writing a generic answer when the question is about an Australian scenario loses easy marks. Any question involving data breaches, privacy, surveillance, or cybercrime in Australia should reference the Privacy Act 1988, NDB scheme, OAIC, ACSC, or Essential Eight where relevant. This is free marks if you remember.
The "CIA tags missing" trap
Every time you mention an attack or a control, quickly tag the CIA pillar(s) involved. This signals structured thinking and earns marks even on short questions:
"DDoS attack [CIA: A]..."
"Encryption protects [CIA: C, I]..."
"Backups restore [CIA: A] after ransomware..."
19.6 Working Through a Question โ A Worked Example
Let's walk through the thought process for an 8-mark question.
Example question (8 marks)
"A medium-sized Sydney law firm has suffered a ransomware attack delivered via a phishing email to an employee. The attacker encrypted files across the internal network. Analyse the attack and recommend controls that would reduce the likelihood and impact of similar future attacks."
Step 1: Decode the question.
Command: "Analyse" + "recommend controls" = two tasks.
Mark value: 8 = roughly 16 minutes, multi-paragraph structured answer.
Key context: Australian firm, ransomware, phishing delivery, lateral spread to encrypt across network.
Step 2: Apply the attack-analysis template. Attack types involved: phishing (initial access), malware/ransomware (execution), likely some form of privilege use or lateral movement (spread). CIA violated: primarily Availability (files encrypted, unusable); potentially Confidentiality (modern ransomware often exfiltrates first). AAA failure: initial access used social engineering on an authenticated user โ an authentication attack that bypassed authN via trickery. The lateral spread points to authorisation issues (the user's or compromised account's permissions likely extended too broadly across the network). Accounting failed if detection didn't fire until encryption was underway.
Step 3: Apply the design framework for the controls.
Map controls to threats using Risk = Likelihood ร Impact framing: Reduce likelihood of initial access: anti-phishing training; email filtering with DMARC/DKIM/SPF checks; MFA on all accounts (especially email); block macros from the internet (ACSC Essential Eight #3); application control (Essential Eight #1). Reduce likelihood of lateral spread: principle of least privilege; network segmentation/VLANs; restrict admin privileges (Essential Eight #5); tight file-share permissions. Reduce impact if a breach succeeds: tested backups, offline or immutable (Essential Eight #8); endpoint detection and response (EDR) to catch ransomware behaviour early; SIEM monitoring for unusual file activity; tested incident response plan.
Step 4: Add Australian legal context.
Under the Privacy Act 1988 / NDB scheme, if personal information was accessed or exfiltrated, the firm must assess and potentially notify the OAIC and affected individuals. ACSC's Essential Eight maps onto most of the controls above โ cite it.
Step 5: Write the structured answer.
Paragraph 1 โ the attack analysis (name, CIA, AAA, mechanism).
Paragraph 2 โ the controls, grouped as reducing likelihood vs reducing impact.
Paragraph 3 โ Australian legal context (NDB, OAIC, Essential Eight).
Close with one sentence on defence in depth โ multiple layers so no single failure is catastrophic.
THE KEY INSIGHT: You didn't need more knowledge than the rest of the guide provides. What you needed was structure. A knowledgeable student who writes an unstructured ramble loses marks compared to a less knowledgeable student who follows the template rigorously. Structure is how you convert knowledge into grade.
19.7 The Day-Of Checklist
Read each question twice before writing. Underline command word, mark value, any scenario-specific constraints.
Budget time visibly โ write the "move on at" time next to each question, based on mark value.
Use templates where they fit โ attack analysis, design, compare, evaluate.
Name specifics โ technologies, attacks, laws, Australian entities.
Tag CIA for every attack or control.
Soften absolutes โ "typically", "under normal conditions", "primary defence".
Invoke Risk = Likelihood ร Impact when justifying controls.
Acknowledge trade-offs when evaluating.
End evaluations with a clear position.
Label diagrams.
Leave 10 minutes at the end to re-read and add anything you missed.
FINAL RULE: A partial answer to every question beats a perfect answer to half the questions. Even in your weakest area, write something structured โ command word response, CIA tag, one named control. Blank earns zero; something structured earns partial marks. Spread the butter thin if you must.
19.8 Quiz Time
A question asks "Describe three network attacks" (6 marks). How should you structure your answer?
"Describe" = factual account, not analysis. 6 marks รท 3 attacks = 2 marks each, so about 2 sentences per attack.
Good structure: for each attack, (1) name it, (2) briefly say what it does and how, (3) tag CIA. Example: "Phishing: an attacker sends a fraudulent message designed to trick the recipient into clicking a malicious link or entering credentials on a fake site. Primarily a confidentiality attack [CIA: C] when credentials are stolen."
Repeat for two other attacks (e.g., DDoS, ransomware, MITM, SQL injection). Don't waste time on deep analysis โ "describe" didn't ask for it. Save the depth for "analyse" questions.
Why is "add more firewalls" a weak answer when asked to improve security?
It's generic, unspecific, and doesn't tie to a particular threat. A strong answer names specific controls addressing specific risks: "Deploy a stateful firewall at the internet boundary with an explicit deny-all default and rules permitting only necessary services (HTTPS inbound to the web server, outbound DNS and HTTPS). Add network segmentation via VLANs so that a breach of the guest Wi-Fi cannot reach the server subnet. Combine with EDR on endpoints so lateral movement is detected quickly. This is defence in depth โ the firewall is one of several layers, each addressing different failure modes." Notice: named controls, specific rules, tied to threats, uses vocabulary like "defence in depth" and "lateral movement."
You have 20 minutes left and 4 questions unanswered worth 3, 4, 6, and 8 marks. What's your plan?
Total 21 marks in 20 minutes = about 1 minute per mark โ you're way behind the 2-minutes-per-mark rate. Plan: don't attempt to finish them all fully. Write the best opening sentence or two for each (command word response, key CIA tag, one key control). That secures the easy 1-2 marks per question. Then if time permits, go back to the highest-mark question (the 8-marker) and expand. Blank = zero. Half-answer structured = some marks. Covering all four at surface depth beats polishing one and leaving three blank.
Rewrite this weak answer to gain marks: "A DDoS attack makes the website go down."
Strengthened version: "A distributed denial-of-service (DDoS) attack violates [CIA: Availability] by flooding a target with traffic from many compromised devices (a botnet), exhausting its bandwidth, processing capacity, or connection state so that legitimate users cannot be served. The 2016 Dyn DNS attack and the Port of Melbourne incident are Australian-relevant examples. The primary defences are traffic scrubbing services (e.g., Cloudflare, Akamai), rate-limiting, and over-provisioning; detection relies on monitoring for unusual traffic volumes."
Upgrades made: named it properly, tagged CIA, explained the mechanism, named a real-world example, named specific defences, integrated the monitoring connection. Same underlying knowledge; far more marks.