Security awareness quiz - answers (2024)

Q1: Which of the following three is the strongest password?

  1. starwars
  2. 1qaz2wsx
  3. trEEGCv-

A: The correct answer is 3. This is a random password and thus the most secure one of the 3. starwars is not random and a commonly used password. 1qaz2wsx seems random but it's the first 2 columns of a qwerty keyboard and also commonly used. Attackers use these in wordlists to crack passwords or to gain access to existing sites for which you use this password.

Q2: Which of the following is a weak password?

  1. 123456
  2. P@ssw0rd
  3. ILoveYou123
  4. All of the above

A: The correct answer is 4. All of the passwords are weak and already leaked in data breaches.

Q3: How often should I change a password?

  1. Never
  2. Every week
  3. Every month
  4. Every year
  5. Only when there's proof or suspicion of compromise

A: The correct answer is 5. The best practices are to only change your password when there's proof or suspicion that your account might be hacked. More tips on how to know when an account is hacked can be found in this and this blog.

Q4: Is it considered safe to use the same complex password on all websites?

  1. Yes
  2. No

A: The correct answer is 2. If you reuse passwords across different sites a hack of one website can result in attackers using this stolen username and password to gain access to your accounts for another website. If you want to learn more about why password reuse is a bad idea, read this article.

Q5: What should I do after I learn about a data breach of a website? Choose the best answer.

  1. Nothing
  2. Change the password of my account for that website
  3. Change the password for my account for that website and of all other websites where I use that same password

A: The correct answer is 3. If your username and password is stolen the account for that particular hacked website is at risk, but also your accounts for any other website were you use that same password. If you want to learn more about it read here why password reuse is a bad idea.

Q6: What are the characteristics of a strong password?

  1. Long
  2. Long, random and unique
  3. Long, unique
  4. Long, random

A: The correct answer is 2. Passwords should be long enough, minimum 12 or 14 characters is recommended. Passwords should also be random because attackers will have giant lists of predictable passwords they can use to crack passwords or gain access to your online accounts. They should also be unique. If you reuse passwords across different sites a hack of one website can result in attackers using this stolen username and password to gain access to your accounts for another website. If you want to learn more on how to create strong passwords, read this blog.

Q7: If you want to share a password with someone, what's the best option?

  1. Send it via email
  2. Send a text message
  3. Tell it via the phone
  4. None of the above

A: The correct answer is 4. A password is personal data which shouldn't be shared with others.

Q8: Which of the following is the most secure backup strategy?

  1. One backup on an external harddisk and another one on a cloud backup
  2. 2 backups on 2 different external harddisks
  3. A backup on an external harddisk

A: The correct answer is 1. Because you spread the backups over 2 geographically different regions, which makes your backup strategy more resilient. If you want to learn more about it how to put a secure backup strategy in place read this blog.

Q9: You open a website and it has a padlock in the browser bar (the lock icon in front of the URL). Which statements are true?

  1. I can be sure that this is a legit, non-malicious site
  2. It tells me that the site is 100% secure
  3. The traffic between my computer (browser) and the server that runs the website is secured
  4. No one, even my Internet Service Provider doesn't know which site I visit.
  5. This could be a phishing site.

A: The correct answers are 3 and 5. A padlock in the browser bar implies that the connection between your browser and the website is secure, but it doesn't say anything about the intentions of a website, so it could be a phishing website. Your Internet Service Provider will still know which websites you visit.

Q10: Is it generally considered safe to use Starbucks Public Wi-Fi network for performing an online banking operation?

  1. Yes, it is safe
  2. No, it can be dangerous

A: The correct answer is 2. While a lot more websites are served over HTTPS nowadays, the security risks of using public Wi-Fi are lower but it's still not to recommend to do online banking on a public Wi-Fi. It might be a better idea to use your mobile data and/or switch on a VPN.

Q11: Is it secure to enter your private information (e.g., data of birth, identification number etc.) on a site with an address that starts with "http://"?

  1. Yes
  2. No

A: The correct answer is 2. When you enter data on a HTTP website the data could be intercepted and/or manipulated by an attacker. Enter personal data only when the address of the website starts with "https://". If you want to learn more about HTTPS read this blog.

Q12: Which of the following statements are correct? When I use incognito or private mode in a browser...

  1. No one can see the websites I visited, even not my Internet Service Provider.
  2. Others that use my device can't see which sites I visited
  3. I'm anonymous for that website

A: The only correct answer is 2. Private or incognito browsing only implies that your search and browsing history isn't saved.

Q13: Your business email account has been compromised and leaked in a data breach. What is the best course of action(s)?

  1. Change your password immediately
  2. Inform the security team of your organization
  3. Change the Password on all sites where you use the same password
  4. All of above

A: The correct answers is 4.

Q14: Is it useful to run antivirus software on an Android phone?

  1. Yes
  2. It depends, only if you download apps from outside of Google's official app store
  3. No

A: The correct answer is 1. Even Google Play, Google's offical app store is known to host apps that can contain viruses. It's always a good idea to have a virusscanner installed.

Q15: Which of the following are considered personal data under GDPR (more than 1 answer possible)?

  1. Your IP address
  2. Your birthdate
  3. Your home address
  4. Only your firstname

A: The correct answers are 1, 2 and 3.

Q16: If you receive a call from someone that says to be a clerk from your bank, is it ok to give your bank account details over the phone?

  1. Yes
  2. Never
  3. Only if I recognize that the phone number is from my bank.

A: The correct answer is 2. You shouldn't give your bank account details over the phone. A bank that takes your security seriously will never ask for sensitive data, like bank account details, over the phone. Even if you recognize the number it could be spoofed by an attacker.

See Also
Yubico Forum • View topicIdentity Authentication – How-to Multi-factor authentication with YubiKeysStatic vs Dynamic IPs: Which Is Better?Why You Should Consider a Static Website First

Q17: You receive an email with subject: "$5 million donation from Bill Gates" and in the email they ask you to provide your telephone number and full postal address to claim the money. What's the best action?

  1. Reply with my phone number and postal address, I want the 5 million dollars
  2. Forward the email to friends, because sharing is caring
  3. Report the email as spam and delete it

A: The correct answer is 3. If something is too good to be true it just isn't true. No one will email you out of the blue to give you such an amount of money.

Q18: You're browsing and on a random site a pop-up to get free access to Netflix appears. What's the most secure action?

  1. Follow the pop-up instructions to get the free access
  2. Immediately close the pop-up and don’t proceed

A: The correct answer is 2. It's even better to close the browser tab or the browser alltogether. If the pop-up is preventing you from doing this you can kill the browser process.

Q19: You receive an email from '[emailprotected]' that urges you to reset your Hyundai password. What should you do?

  1. Change my password immediately as per the instructions given in the email
  2. Don't proceed and delete the email

A: The correct answer is 2. If Hyundai would ask you to reset your password the mail would come from an official Hyundai.com email address. This is a malicious email to steal your Hyundai password.

Q20: Is the following statement true or false? Reusing the same password across multiple sites is a good idea. It's very convenient after all.

  1. True
  2. False

A: The correct answer is 2. It sure is convenient, but this convenience comes with a price. If your password is stolen in a hack of 1 site user can use that to gain acces to your accounts on other sites.

Q21: Is it considered a good security practice to leave your machine unlocked when you leave your desk?

  1. Yes
  2. No

A: The correct answer is 2. It's not a good idea, if you don't lock your device everyone in the office has the possibility to access the (confidential) data on your device.

Q22: If you receive an unexpected phone call from Microsoft technical support, should you?

  1. Follow their instructions
  2. Give them your password
  3. Call them back
  4. Hang up

A: The correct answer is 4. No one from Microsoft will ever call you to offer technical support. This is a scam. Hang up immediately. If you want to learn more about tech support scams, read this blog.

Q23: If you receive a suspicious email, should you?

  1. Reply to it
  2. Open the attachments
  3. Click the links
  4. Report it to the phishing reporting mailbox of your government

A: The correct answer is 4. Report the phishing mail and delete it afterwards. In any case don't reply, click on any links or open attachments in the email.

Q24: You’re being texted that your parcel delivery will be delayed. In order to expedite it you need to?

  1. Reply to the text
  2. Click on the link provided in the sms
  3. Think first, am I expecting anything? If not report and delete the sms

A: The correct answer is 3. Attackers always will try to exploit things like urge. But always first ask yourself wether you're expecting that particular parcel. If not, it's a malicious email and the best action is to report and delete the email afterwards.

Q25: Is the following statement true or false. Because operating system updates are time consuming and may need to restart the machine it's a good idea to postpone them as long as possible.

  1. Yes
  2. No

A: The correct answer is 2. It's not a good idea to postpone operating system updates because they often contain fixes for security vulnerabilities. If you wait with installing these updates attackers might use these vulnerabilities to gain access to your device and infect it with malware and/or steal your data.

Q26: Which of the following statements are correct?

  1. Phishing is a form of social engineering.
  2. Phishing is a so called "spray and pray" technique in which an attacker sends out the same email to hundreds of potential targets in the hope they will fall victim.
  3. All of the above

A: The correct answer is 3. Phishing is indeed a form of social engineering or in other words the psychological manipulation of people into performing actions or divulging confidential information and it can also be a mass attack.

Q27: Imagine you work for the finance department of a company. You received an email from your company’s CEO and they want you to immediately transfer a few millions to a bank account provided in the email. Will you execute the transaction?

  1. Yes, I will do so if my CEO asks me.
  2. I will only execute the transaction after I got confirmation from the CEO through another channel.

A: The correct answer is 2. Only if you get it confirmed via another channel (e.g. a phone call to the trusted number, initiated by you) - which should be defined in a procedure - you should execute the transaction. Criminals could have hacked the email account from the CEO or pretend to be the CEO by faking the CEO's email address.

Q28: If you suddenly see the following page in the browser, is it a good idea to claim your present?

Security awareness quiz - answers (1)
  1. Yes
  2. No

A: The correct answer is 2. If something is too good or too unbelievable to be true it's just not true. This is a fake page, the only intention of the criminals to set up this page is to scam you.

Q29: Which of the following statements about a phishing email are true?

  1. The email comes out of the blue. There's no context or previous contact with the sender
  2. The email contains a sense of urgency to get a particular action done
  3. All of the above

A: The correct answer is 3.

Q30: You receive a SMS from a supplier/vendor who asks you to click on a link to renew your contract. You should:

  1. Proceed without worrying
  2. Don’t proceed by clicking on the link in SMS

A: The correct answer is 2. Don't click this link. You wouldn't suspect a supplier or vendor to send a renewal link via SMS. In any case if you doubt always reach out to the vendor to check if they really send this link.

Q31: Which month is considered or recognized as Cyber Security Month?

  1. September
  2. October
  3. November
  4. December

A: the correct answer is 2. October is Cyber Security awareness month. During October a lot of practical security awareness content is being shared.

Q32: The person who performs a social engineering attack is known as?

  1. An Information Engineer
  2. A Social Engineer
  3. A Social Media Activist

A: The correct answer is 2.

See Also
Devices with Static IP Addresses

Q33: Imagine you find a USB device in the hallway at work. What's the best thing to do?

  1. Pick it up and plug it in to see what’s on the USB device. Maybe you can identify the owner.
  2. Leave it in the hallway or bring it to the reception desk, such that the person who lost it can get it back.
  3. Pick it up, don't plug it in but inform your IT department because this could be a USB device containing malware to infect your company's systems.

A: The correct answer is 3. You shouldn't trust USB devices you find. This is a common way to get malware distributed.

Q34: Which URL(s) bring(s) you to Google’s Home Page?

  1. https://google.com
  2. https://gogle.com
  3. https://gooogle.com
  4. All of above

The correct answer is 4. Tools like urlscan.io can help you to gain more insights about a website. It's not bullet proof, its not because a site is trusted it means that it could be malicous. But if it's flagged malicious certainly don't visit it. In this case we can see that the effective url is https://www.google.com, Google's official website.

Security awareness quiz - answers (2)

Q35: Which of the following URLs could NOT be used in a so called 'Typosquatting Attack'?

  1. http://microsoft.com
  2. http://mircosoft.com
  3. http://miroosoft.com
  4. All of the above

A: The correct answer is 1. In typosquatting attackers abuse the fact that users mistype URLs. For instance attackers might hosts a malicious site on the domain http://mircosoft.com which will be incidentally visited by a lot of people.

Q36: You receive the following email which contains "This message was sent from a trusted sender" in the body. Does this mean you can trust that this email is legitimate?

Security awareness quiz - answers (3)
  1. Yes
  2. No

A: The correct answer is 2. This sender can't be trusted, a text in an email body doesn't say anything about whether a sender can be trusted or not. This is clearly a spam email and like you can see in the screenshot it's also detected as such.

Q37: If you receive the following email, is it a good idea to proceed to get help from CBD?

Security awareness quiz - answers (4)
  1. Yes
  2. No

The correct answer is 2. This sender can't be trusted, this is clearly an unsolicited email that try's to trick the receiver into clicking malicious links or giving away personal data. Like you can see in the screenshot it's detected as spam by the mail client.

Q38: You receive the following invite to take a quiz. You decide to take the quiz to receive the free glasses. This is...

Security awareness quiz - answers (5)
  1. A good idea, free stuff is always nice
  2. This is a bad idea, this is a scam to steal my personal data

A: The correct answer is 2.

Q39: Which of the following things help to decide whether an online shopping website is trustworthy?

  1. The address of the website starts with 'https://'
  2. There's a seal on the website that says '100% secure'
  3. Do a bit of research to see whether the site has a good reputation
  4. Read on the website and look for positive reviews of other customers

A: The correct answer is 3. Malicious sites can also run over https and security seals can be easily faked. The website owner can also put fake reviews of other customers on their website.

For more information also read this post.

Q40: For online shopping it's best to use...?

  1. A credit card
  2. A debit card

A: The correct answer is 1. Credit cards have an insurance against fraud. When you pay with a credit card, the money is not directly withdrawn from your account. This gives you time to dispute fraudulent charges and the bank can block the payment while they investigate the incident. Some credit cards also offer additonal insurance for your online purchases.

For more information also read this post.

Q41: I don’t use a PIN on my smartphone but keep it with me. What could go wrong?

  1. When I lose it all my information and apps are accessible by the finder
  2. When I leave my phone unattended, miscreants can gain access to all my online accounts using my email address
  3. When my phone gets stolen the thieves can access all my information and apps
  4. All of the above

A: The correct answer is 4. When you have no pin code on your device and you leave it unattended, lose it or when it gets stolen an unauthorized user can gain access to your personal data. For instance your pictures and videos, text messages or your phone contacts. They'll also have access to all the apps on your phone and your email account which contains a treasure trove of information and which can be used to reset the password for all accounts that you registered with this email address.

Q42: Is it a good idea to pay criminals that encrypted the files on your computer by deploying so called ransomware? Why or why not? Select all applicable answers.

  1. Yes, because you can be sure you will regain access to your files.
  2. Yes, because you don't have to care about backups yourself.
  3. No, because you have no guarantee that you will regain access to your files.
  4. No, because even when you get your files back criminals might attack you later again because they are still active on your network.

A: The correct answers are 3 and 4. Never give in to criminals trying to extort you. There are simply no guarantees that you will regain access to your files or that they will not do the same again in the future because they are still active on your network and because they know you are willing to pay. Also make sure you have working backups in place. If you want to learn more about ransomware and how to protect against is do read this blog.

Based on the content you've provided regarding cybersecurity practices, it's clear that you're seeking comprehensive guidance to enhance your online safety. Let me break down the concepts discussed in the questions you've listed:

  1. Password Strength: The strongest password is one that is long, random, and unique to each account. Avoid using easily guessable or commonly used passwords.

  2. Weak Passwords: Any password that is commonly used, easily guessable, or leaked in data breaches is considered weak and insecure.

  3. Password Change Frequency: Change passwords only when there's evidence or suspicion of a compromise. Regular changes without reason can be unnecessary and cumbersome.

  4. Password Reuse: It's unsafe to use the same complex password across multiple websites. If one account is compromised, attackers could gain access to other accounts using the same password.

  5. Data Breach Response: After learning about a data breach, change the password for the affected account and all other accounts where the same password is used.

  6. Characteristics of Strong Passwords: Strong passwords are long, random, and unique to each account. They should ideally be at least 12 to 14 characters long.

  7. Sharing Passwords: Never share passwords with others, regardless of the communication method (email, text, phone, etc.).

  8. Secure Backup Strategies: The most secure backup strategy involves storing backups on different mediums in geographically different locations to ensure resilience against data loss.

  9. Padlock in Browser: A padlock in the browser indicates a secure connection between your browser and the website, but it doesn't guarantee the website's legitimacy. Your ISP can still see the sites you visit.

  10. Using Public Wi-Fi: It's generally unsafe to perform sensitive operations, like online banking, over public Wi-Fi due to potential security risks. Using a VPN or mobile data is recommended.

  11. HTTP vs. HTTPS: Websites with "https://" are encrypted and secure for sharing personal data. Always avoid entering personal information on "http://" sites as they are not secure.

  12. Incognito/Private Browsing: Incognito mode doesn’t make you anonymous; it only prevents the browser from saving your browsing history.

  13. Actions after a Business Email Compromise: Change the compromised password, inform the security team, and change passwords on all sites using the same password.

  14. Antivirus on Android: Using antivirus software on an Android device is recommended to mitigate potential threats.

  15. Personal Data under GDPR: IP addresses, birthdates, and home addresses are considered personal data under GDPR.

  16. Giving Bank Details Over the Phone: Never give bank details over the phone, even if the number appears legitimate.

  17. Emails Offering Large Sums of Money: Emails offering substantial amounts of money are likely scams; report and delete them as spam.

  18. Dealing with Pop-Ups for Free Services: Close pop-ups offering free services immediately, as they might be malicious attempts to scam or compromise your device.

  19. Suspect Emails for Password Reset: Ignore and delete suspicious emails requesting password resets and verify directly with the legitimate service provider.

  20. Password Reuse Risks: Reusing passwords across multiple sites is convenient but risky, as one compromised password can lead to access to other accounts.

  21. Leaving Machine Unlocked: Leaving your machine unlocked poses a security risk, allowing unauthorized access to confidential data.

  22. Unexpected Calls from Technical Support: Microsoft or any legitimate tech support won’t make unsolicited calls; it's likely a scam.

  23. Dealing with Suspicious Emails: Report phishing emails and refrain from clicking on links or opening attachments.

  24. Dealing with Unexpected Parcel Delivery Messages: Verify if you're expecting a delivery before responding to such messages.

  25. Operating System Updates: Postponing OS updates can expose vulnerabilities, making your device susceptible to attacks.

  26. Phishing and Social Engineering: Phishing involves psychological manipulation; it's a form of social engineering that targets users to disclose confidential information.

  27. CEO Request for Money Transfer: Always verify such requests through a different channel to avoid falling for CEO fraud.

  28. Questionable Web Pages: Pages offering unexpected gifts or rewards are likely scams; avoid engaging with them.

  29. Characteristics of Phishing Emails: Phishing emails often come unexpectedly and create a sense of urgency to prompt action.

  30. Handling SMS Links from Suppliers/Vendors: Don't click on suspicious SMS links, and verify with the vendor directly if in doubt.

  31. Cyber Security Month: October is recognized as Cyber Security Awareness Month.

  32. Social Engineering Attacks: Social engineering attacks involve manipulating individuals to obtain sensitive information.

  33. Dealing with Found USB Devices: Don't trust or plug in found USB devices; inform the IT department as they could contain malware.

  34. Identifying Legitimate Google Homepage URLs: Google's official homepage is accessible via .

  35. Typosquatting Attack URLs: Typosquatting involves creating URLs similar to legitimate sites to trick users; one such URL might be .

  36. Trusting Emails Based on Text Content: Text claiming a sender as "trusted" doesn't guarantee the email's legitimacy; always assess emails for authenticity.

  37. Assessing Suspicious Emails: Emails asking for personal information or containing dubious requests should be treated as suspicious and avoided.

  38. Taking Quizzes for Freebies: Participating in quizzes for free items can be a ploy to gather personal data; it's safer to avoid such engagements.

  39. Determining Trustworthy Online Shopping Sites: Checking the site's reputation through research and positive customer reviews aids in determining trustworthiness.

  40. Preferred Payment Method for Online Shopping: Using credit cards for online shopping offers fraud protection compared to debit cards.

  41. Lack of PIN on Smartphone: Not having a PIN on your smartphone exposes your data to unauthorized access if the device is lost or stolen.

  42. Paying Ransomware Demands: Paying ransomware demands doesn't guarantee file retrieval and could lead to repeated attacks.

These concepts encompass various cybersecurity practices, emphasizing the importance of vigilance, secure password practices, cautious online behavior, and staying informed about potential threats. Following these practices can significantly enhance your online security posture and protect against various cyber threats.

Security awareness quiz - answers (2024)
Top Articles
Exclusive: Austrian Programmer And Ex Crypto CEO Likely Stole $11 Billion Of Ether
How to set up a VPN on Linux – easy tutorial
Boise, ID Real Estate & Homes for Sale | RE/MAX
ZuidOostZorg zoekt een Verzorgende IG nachtdienst - Lijtehiem (Ureterp) in Ureterp | LinkedIn
Latest Posts
Withdrawal Not Received & Withdrawals to the Wrong Address | KuCoin
How much money you need to earn to be in the top 1% in every U.S. state
Article information

Author: Msgr. Refugio Daniel

Last Updated:

Views: 5922

Rating: 4.3 / 5 (74 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Msgr. Refugio Daniel

Birthday: 1999-09-15

Address: 8416 Beatty Center, Derekfort, VA 72092-0500

Phone: +6838967160603

Job: Mining Executive

Hobby: Woodworking, Knitting, Fishing, Coffee roasting, Kayaking, Horseback riding, Kite flying

Introduction: My name is Msgr. Refugio Daniel, I am a fine, precious, encouraging, calm, glamorous, vivacious, friendly person who loves writing and wants to share my knowledge and understanding with you.