Quiz: Security Awareness Training

DataField.Dev

Quiz: Security Awareness Training

A 26-question self-check covering the chapter's vocabulary, metrics, and program design. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] The primary goal of a security awareness program is best described as: A. maximizing training-completion rates B. changing employee behavior C. passing the annual audit D. transferring as much knowledge as possible

2. The single highest-leverage technical intervention for improving phishing reporting is: A. a longer annual training video B. a one-click "report phishing" button C. a stricter password policy D. a poster campaign

3. [Sec+] A small, targeted piece of guidance delivered at the exact moment a person makes a relevant decision is called: A. a nudge B. just-in-time training C. a security champion D. a phishing simulation

4. A change to the choice environment that steers people toward a safer decision without forbidding any option is a: A. control objective B. nudge C. mandate D. sanction

5. [CISSP] The "no-blame" or "just culture" principle in security awareness is borrowed primarily from: A. the financial industry B. commercial aviation and medicine C. military doctrine D. law enforcement

6. Click rate is computed as: A. clicked / opened B. clicked / reported C. clicked / received D. submitted / clicked

7. [Sec+] Which of the following is a vanity metric that flatters a program without measuring real-world resilience? A. time-to-report B. trend in report rate C. training-completion rate D. high-risk population improvement

8. A 0% click rate on a phishing simulation is usually: A. the ideal outcome to celebrate B. a warning sign that the test was too easy or gamed C. impossible D. evidence the workforce no longer needs training

9. Employees embedded in business units who act as the local advocate and point of contact for security are called: A. SOC analysts B. security champions C. data owners D. control assessors

10. [CISSP] Most insider incidents are: A. malicious sabotage B. nation-state recruitment C. honest mistakes by well-meaning employees D. financial fraud

11. In the B = MAP behavior model, the lever an engineer most directly controls by making the safe action easier is: A. Motivation B. Ability C. Prompt D. Mandate

12. [Sec+] A phishing email that says "Your account will be locked in 1 hour unless you verify now" is primarily exploiting: A. reciprocity B. social proof C. urgency D. liking

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

13. "An employee who scores 100% on the security quiz will not click a phishing email."

14. [Sec+] "Disciplining employees who click phishing simulations strengthens the security culture."

15. "A workforce that reports more emails than it clicks is on the right side of the line."

16. "It is acceptable to use a fake bonus or layoff notice as a phishing-simulation lure if it produces a high click rate that motivates the board to fund the program."

17. "Security awareness training can eliminate the malicious-insider threat on its own."

18. "Reporting a legitimate email as suspicious (a false positive) is a costly mistake that should be discouraged."

Section 3 — Fill in the blank (1 pt each)

19. The two headline metrics of a phishing simulation are the _ rate and the _ rate.

20. The shared attitudes, norms, and unwritten rules that determine how people actually behave toward security is the organization's security __.

21. [Sec+] A trained, engaged, fast-reporting workforce that catches what automation misses is called the human __.

22. The metric that measures how many minutes pass between a phishing email landing and the first report reaching the SOC is _-to-_.

Section 4 — Short answer (2 pts each)

23. [CISSP] Explain why a punitive response to honest mistakes makes an organization less secure. Reference the relationship between blame and reporting.

24. A campaign sends to 300 people; 24 click and 90 report. Compute the click rate and report rate, and state in one sentence whether the relationship is healthy and why.

25. Name three requirements that make a phishing simulation an authorized, ethical test rather than an attack, and explain why the landing page should teach rather than shame.

Section 5 — Applied scenario (5 pts)

26. [Sec+] Meridian's finance team is repeatedly targeted by business email compromise — emails impersonating the CEO requesting urgent confidential wire transfers. (a) Name the two social-engineering principles most at work. (b) Describe the single behavioral control that defeats this entire class of attack. (c) Explain why this population receives the most intensive tailored program in Meridian's design. (d) Identify one metric you would track specifically for this team and one vanity metric you would refuse to rely on.

Answer Key

Click to reveal answers and explanations

1. **B** — awareness is a behavior-change problem; knowledge is only one input. 2. **B** — the one-click report button raises *ability*, the strongest reliable lever. 3. **B** — just-in-time training is delivered at the point of decision. 4. **B** — a nudge changes the choice environment without forbidding options. 5. **B** — security borrows just culture from aviation and medicine. 6. **C** — click rate = clicked / received. 7. **C** — completion rate measures attendance, not behavior. 8. **B** — a perfect score usually means the test was trivial or gamed. 9. **B** — security champions. 10. **C** — most insider incidents are honest mistakes. 11. **B** — ability (making the safe action easy). 12. **C** — urgency / scarcity. 13. **F** — the quiz measures knowledge; clicking is a behavior governed by the fast, automatic system and real-world conditions, so high quiz scores do not predict safe behavior. 14. **F** — punishment suppresses reporting and destroys trust; it weakens the culture. 15. **T** — a report rate exceeding the click rate means detection behavior outweighs susceptibility, the healthy direction. 16. **F** — cruel lures exploit deeply personal hope/fear, cause resentment, lawsuits, and *reduced* real reporting; the vanity number is bought at the cost of actual security. 17. **F** — awareness reduces the *accidental* insider threat; the malicious insider also needs access controls, monitoring, and HR processes. 18. **F** — a false positive costs the SOC seconds; a false negative (an unreported real phish) can cost a breach, so over-reporting should be *encouraged*. 19. click; report. 20. culture. 21. firewall. 22. time; report (time-to-report). 23. Punishing honest mistakes teaches people to hide them; employees stop reporting clicks, near-misses, and suspicious activity for fear of consequences, so the organization loses the very signal it needs and goes blind to its real risks — the opposite of what a people-powered detection capability requires. 24. Click rate = 24/300 = 8%; report rate = 90/300 = 30%. Healthy: far more people reported (30%) than clicked (8%), so detection/reporting behavior strongly outweighs susceptibility. 25. Any three of: written executive authorization defining scope; a governance/approval process and data-handling rules; legal and HR review (employee-monitoring and privacy law); a strict no-blame design intended to strengthen the workforce. The landing page should teach because a click is the most teachable moment of the year and shame produces concealment — which suppresses the reporting culture you are trying to build. 26. (a) authority (impersonating the CEO) and urgency (act now, confidential). (b) out-of-band verification — confirming any payment change or unusual wire request through a separate, trusted channel (a known phone number), never by replying to the email. (c) a single tricked wire transfer can cost more than the entire awareness program, so the highest-impact human risk receives the most intensive, tailored attention. (d) Track, e.g., the finance team's click/report rate on BEC-style simulations or its rate of verified-before-paying behavior; refuse to rely on the team's *training-completion rate* as evidence of resilience. **Topics to review by question:** missed 1, 13 → §30.1–30.2 (behavior vs knowledge); 2, 11 → §30.2 (B=MAP, the report button); 3–4 → §30.2 (just-in-time, nudge); 5, 14, 23 → §30.5 (no-blame culture); 6, 8, 19, 24 → §30.4 (metrics); 7, 26(d) → §30.4 (vanity metrics); 9, 22 → §30.5 (champions, time-to-report); 10, 17, 18 → §30.5 (insider threat, false positives); 12, 26(a–b) → §30.2 + §30.6 (influence principles, BEC); 15 → §30.4 (healthy relationship); 16, 25 → §30.3 (ethical simulations); 20–21 → §30.1, Overview (culture, human firewall).