Question: When classified data is aggregated, what typically happens to its classification level?

A.  Remains the same

B.  Decreases

C.  Increases

D.  Not predictable

Correct Answer: C

Explanation:

A. Remains the same
In some environments, data remains at the "high-water mark" (the level of the most sensitive individual component).

The Nuance: While the high-water mark principle is common, it doesn't account for the emergent properties of data.

Why it's incorrect: For the CISSP, you must assume that the sum is greater than its parts. If you have ten pieces of "Secret" data that, when combined, reveal a "Top Secret" strategy, keeping the classification the same would be a failure of security controls.

B. Decreases
There is virtually no scenario in security governance where combining sensitive data points results in a lower classification.

Classification Logic: Classification levels are based on the potential for damage to the organization or national security. More data points generally increase the potential damage if the set is compromised; therefore, the classification would never move from "Secret" down to "Public" simply because the data was aggregated.

C. Increases
This is known as the Aggregation Effect. It occurs when a collection of facts becomes more sensitive than any individual fact within that collection.

The Reasoning: Aggregation allows a user to see the "big picture." For example, an individual's name is not sensitive; their hospital room number is not sensitive; and a specific drug name is not sensitive. However, if you aggregate all three into one list, you have a highly sensitive medical record (PHI) that reveals a specific person's health condition.

Security Control: To mitigate this, organizations often use Need-to-Know restrictions or database views to ensure that no single user can aggregate enough data to reach that higher classification level without authorization.

D. Not Predictable
While security can be complex, the rules governing classification are designed to be highly predictable to ensure consistent application by staff.

The Policy Approach: Organizations use "Classification Guides" to explicitly state how data sets should be handled. While there are rare "gray areas," the CISSP exam looks for the standard rule: Aggregation equals higher risk, which generally necessitates a higher classification level to provide adequate protection.

Key Takeaway for the CISSP Exam
Aggregation vs. Inference: > * Aggregation is the mathematical act of combining data (e.g., seeing the whole database).

Inference is the mental process of using non-sensitive information to "guess" or deduce sensitive information.

Both concepts usually lead to the same result: The need for stronger access controls or higher classification.