Exercises: Security Awareness Training
These exercises move from vocabulary to program design and judgment. Difficulty is marked ⭐ (recall/ application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.
A standing rule for every "design a phishing simulation" exercise below: you are designing for an organization you own or are explicitly authorized to test, with executive sponsorship, legal/HR review, and a strict no-blame posture. Never design or send a simulation to anyone who has not consented or any system you are not authorized to test. The skill being assessed is ethical program design, not deception.
Part A — Core vocabulary ⭐
1.† In one sentence each, define security awareness, security culture, and the human firewall, then write one sentence that uses all three correctly.
2. Distinguish knowledge from behavior in the context of security awareness. Give one metric that measures each, and state which one predicts real-world resilience.
3. Define click rate and report rate. Write the formula for each and state what each is measured against.
4.† Define just-in-time training and nudge, and explain how they differ. Give one workplace example of each that is not drawn from the chapter's examples.
5. Define security champions. List three things a champions network gives a small central security team that the team cannot achieve on its own.
6. This chapter introduces the insider threat. Distinguish the malicious from the accidental insider, and state which one a security awareness program most directly reduces.
7. Explain the difference between social engineering as treated in Chapter 2 and social engineering defense as treated in this chapter. (One owns the attack; the other owns the program-level counter.)
Part B — Metrics & calculation ⭐⭐
8.† A phishing simulation is sent to 500 employees. The platform reports: 280 opened, 65 clicked the link, 18 submitted credentials, and 140 reported the message. Compute (a) the click rate, (b) the report rate, and (c) the submit rate. (d) Is the relationship between click rate and report rate healthy? Justify. (e) Which single number would you put at the top of a board slide, and why?
9. Two simulations run the same month. Campaign X (generic, easy lure): 8% click rate. Campaign Y (targeted spear-phish): 31% click rate. A manager concludes "the workforce got worse between campaigns." Explain everything wrong with that conclusion and what comparison would be valid.
10.† Define time-to-report and explain, using the phishing funnel, why a workforce with a 15% report rate and a 3-minute median time-to-report can be safer than one with a 25% report rate and a 40-minute median time-to-report.
11. A program reports a 0% click rate on its latest simulation and a 100% training-completion rate. Your CISO is delighted. Write three sentences explaining why neither number should reassure her, and what you would measure instead.
12. Over four quarters, a division's click rate goes 22% → 18% → 16% → 19%, while its report rate goes 10% → 19% → 26% → 34% and its time-to-report goes 35 → 20 → 9 → 4 minutes. The Q4 click-rate rise triggers an alarm. Interpret the full picture. Is the program failing or succeeding? What might explain the Q4 click uptick coexisting with the report-rate rise?
Part C — Analyze this (telemetry & scenarios) ⭐⭐
13.† You are handed this (illustrative) excerpt from the SOC's phishing-report queue. Times are UTC; the campaign hit the inbox at 13:40.
13:42 reporter=tellerA subject="Invoice overdue - action required" verdict=?
13:43 reporter=tellerB subject="Invoice overdue - action required" verdict=?
13:44 reporter=financeC subject="Invoice overdue - action required" verdict=?
14:25 click=tellerD url=hxxp://meridan-bank[.]example/pay (proxy log)
14:31 click=tellerE url=hxxp://meridan-bank[.]example/pay (proxy log)
(a) What is the median time-to-report for the three reporters? (b) The first report arrived at 13:42 but
two clicks occurred at 14:25 and 14:31. What containment action should the SOC have taken between those
times, and what does this teach about the value of a fast report? (c) Note the lookalike domain
meridan-bank (missing an "i"). Which influence/cue does this exploit, and what just-in-time control
would have flagged it?
14. An employee forwards a legitimate marketing email to the SOC, reporting it as suspicious. A junior analyst wants to "remind the employee to be more careful before reporting." Explain why that instinct is exactly backwards, using the false-positive/false-negative tradeoff, and write the two- sentence reply you would send the employee instead.
15.† A "CEO" emails the finance team: "I'm in back-to-back meetings and can't call. We're closing the Hartwell acquisition today — please wire \$240,000 to the attached account details immediately and keep this confidential until the announcement." (a) Identify three social-engineering principles at work. (b) Name the one verification behavior that defeats this entire class of attack. (c) Which tailored training population from §30.6 is this aimed at, and why is the financial impact of a single failure here so disproportionate?
Part D — Design a phishing simulation (ethically) ⭐⭐–⭐⭐⭐
16.† Design it. Draft a one-page plan for Meridian's first phishing simulation against the general workforce. Include: the lure (kept gentle/generic and ethical), the target population, the metrics you will collect, the design of the teachable-moment landing page (list the three cues it will teach), the governance approvals you need before sending, and the no-blame handling of clickers. State explicitly one type of lure you will not use and why.
17. Critique this proposed simulation: "Subject: Your 2026 bonus has been approved — click to view your award letter. Landing page reports each clicker's name to their manager and HR." List every ethical and effectiveness problem, then rewrite the plan to fix them while still being a useful test.
18. ⭐⭐⭐ Design a progressive six-month simulation roadmap for the finance/wire-transfer team. Specify how difficulty and lure type escalate month to month, what behavior each month targets, and how you would measure improvement without ever using a click result for discipline.
Part E — Write the policy / design the program ⭐⭐–⭐⭐⭐
19.† Write the policy. Draft a short Security Awareness Policy snippet (5–8 sentences) suitable for Meridian's policy set: scope, mandated activities (onboarding + continuous), the no-blame reporting commitment, the control owner, and how compliance is measured. Keep it at policy altitude — mandate, not procedure.
20. Write the procedure. Draft a one-paragraph phishing-report procedure for an employee: what the "report phishing" button does, what happens after they click it, and the explicit promise about blame. Then draft the parallel one-paragraph SOC procedure for handling an incoming report.
21. Design the architecture. Sketch (words or simple diagram) the technical pipeline for the one-click "report phishing" button: where the button lives, what it forwards and to whom, how the report reaches the SOC and the SIEM, and how the loop is closed back to the user. Name one integration with a control from an earlier chapter.
22. Design it. A 6,000-person company has a 3-person awareness team. Design a security-champions program to extend their reach: how many champions, how chosen, what training and time commitment, what they do, and how you keep them engaged. State one metric for the champions program's health.
23. ⭐⭐⭐ Design a complete, one-page role-based awareness plan for a software-development team: their top three threats, the tailored content and simulation types for each, the just-in-time nudges you would embed in their tools, and how you would recruit a champion from among them.
Part F — Respond to this / tabletop ⭐⭐
24.† Respond to this incident. At 09:10 the SOC receives four near-simultaneous reports of a phishing email impersonating the bank's HR portal, with a credential-harvesting link. By 09:12 the proxy log shows two employees have already clicked. Walk through the response steps in order, and identify where the human reporting culture, the technical controls (Ch. 9 email auth; Part V monitoring), and the governance (incident process) each play a part.
25. Respond to this. A repeat clicker — same employee fails three consecutive simulations — is escalated to you. Leadership wants them "written up." Write the case for a supportive, non-punitive intervention instead, name two things you would actually do, and explain the cultural cost of the punitive path.
Part G — CTF-style challenge ⭐⭐⭐
26.† The metric that lies. A vendor's dashboard proudly shows your program at "97% secure" based on a single composite score blending training-completion rate, quiz average, and a click rate from deliberately easy simulations. Your board wants to celebrate. (a) Deconstruct exactly how each input inflates the composite. (b) Construct the honest metric set you would present instead. (c) Write the three-sentence reframe you would give the board so the harder truth lands without sounding like you are sandbagging your own program.
Part H — Interleaved & forward-looking ⭐⭐
27. (Interleaved with Ch. 26.) Where in the policy/standard/procedure hierarchy does each of the following belong: (a) "Meridian maintains a security-aware workforce"; (b) "All staff complete monthly two-minute modules; high-risk roles receive role-based training quarterly"; (c) "To report a suspicious email, click the red shield button in Outlook"? Justify each placement.
28. (Interleaved with Ch. 2.) Map a complete spear-phishing attack to the cyber kill chain, then mark at which stage each of this chapter's human-layer defenses (DMARC/email auth from Ch. 9, the report button, just-in-time training, the no-blame report culture) intervenes. Which defense acts earliest, and which is the last line before harm?
29. (Interleaved with Ch. 9.) Explain how SPF/DKIM/DMARC (Chapter 9) and the awareness program form defense in depth against phishing. Give one phishing scenario that email authentication stops cold, and one it cannot stop — where the human layer is the only remaining defense.
30. ⭐⭐⭐ Open reflection. "Humans are the weakest link" is half of this chapter's central theme. Argue the other half — that the human is the strongest asset — using the Meridian near-miss and one example from a non-computing field (aviation, medicine, public health) where trained, empowered people are the primary safety control. What does that field do that security programs should imitate?
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.