Security awareness quiz questions

Ashar Javed had an interesting idea to create security awareness quiz questions and asked me if I wanted to cooperate. The idea is to make this a community effort and make these questions available for everyone. These questions are not intended for security professionals but for the average computer user.

Here's a first selection of questions by Ashar and me as an example. We hope together with you we can make this a great resource that can be used by many people and will help to spread security awareness. If you want to contribute either contact Ashar or me or leave a reply in the comments of this post. We'll update this post regularly.

Note: The name of the contributors will be added to the reference section in this post

Q1: Which of the following three is the strongest password?

  1. starwars
  2. 1qaz2wsx
  3. trEEGCv-

Q2: Which of the following is a weak password?

  1. 123456
  2. P@ssw0rd
  3. ILoveYou123
  4. All of the above

Q3: How often should I change a password?

  1. Never
  2. Every week
  3. Every month
  4. Every year
  5. Only when there's proof or suspicion of compromise

Q4: Is it considered safe to use the same complex password on all websites?

  1. Yes
  2. No

Q5: What should I do after I learn about a data breach of a website? Choose the best answer.

  1. Nothing
  2. Change the password of my account for that website
  3. Change the password for my account for that website and of all other websites where I use that same password

Q6: What are the characteristics of a strong password?

  1. Long
  2. Long, random and unique
  3. Long, unique
  4. Long, random

Q7: If you want to share a password with someone, what's the best option?

  1. Send it via email
  2. Send a text message
  3. Tell it via the phone
  4. None of the above

Q8: Which of the following is the most secure backup strategy?

  1. One backup on an external harddisk and another one on a cloud backup
  2. 2 backups on 2 different external harddisks
  3. A backup on an external harddisk

Q9: You open a website and it has a padlock in the browser bar (the lock icon in front of the URL). Which statements are true?

  1. I can be sure that this is a legit, non-malicious site
  2. It tells me that the site is 100% secure
  3. The traffic between my computer (browser) and the server that runs the website is secured
  4. No one, even my Internet Service Provider doesn't know which site I visit.
  5. This could be a phishing site.

Q10: Is it generally considered safe to use Starbucks Public Wi-Fi network for performing an online banking operation?

  1. Yes, it is safe
  2. No, it is dangerous

Q11: Is it secure to enter your private information (e.g., data of birth, identification number etc.) on a site that starts with "http://"?

  1. Yes
  2. No

Q12: Which of the following statements are correct? When I use incognito or private mode in a browser...

  1. No one can see the websites I visited, even not my Internet Service Provider.
  2. Others that use my device can't see which sites I visited
  3. I'm anonymous for that website

Q13: Your business email account has been compromised and leaked in a data breach. What is the best course of action(s)?

  1. Change your password immediately
  2. Inform the security team of your organization
  3. Change the Password on all sites where you use the same password
  4. All of above

Q14: Is it useful to run antivirus software on an Android phone?

  1. Yes
  2. It depends, only if you download apps from outside of Google's official app store
  3. No

Q15: Which of the following are considered personal data under GDPR (more than 1 answer possible)?

  1. Your IP address
  2. Your birthdate
  3. Your home address
  4. Only your firstname

Q16: If you receive a call from someone that says to be a clerk from your bank, is it ok to give your bank account details over the phone?

  1. Yes
  2. Never
  3. Only if I recognize that the phone number is from my bank

Q17: You receive an email with subject: "$5 million donation from Bill Gates" and in the email they ask you to provide your telephone number and full postal address to claim the money. What's the best action?

  1. Reply with my phone number and postal address, I want the 5 million dollars
  2. Forward the email to friends, because sharing is caring
  3. Report the email as spam and delete it

Q18: You're browsing and on a random site a pop-up to get free access to Netflix appears. What's the most secure action?

  1. Follow the pop-up instructions to get the free access
  2. Immediately close the pop-up and don’t proceed

Q19: You receive an email from '[email protected]' that urges you to reset your Hyundai password. What should you do?

  1. Change my password immediately as per the instructions given in the email
  2. Don't proceed and delete the email

Q20: Is the following statement true or false? Reusing the same password across multiple sites is a good idea. It's very convenient after all.

  1. True
  2. False

Q21: Is it considered a good security practice to leave your machine unlocked when you leave your desk?

  1. Yes
  2. No

Q22: If you receive an unexpected phone call from Microsoft technical support, should you?

  1. Follow their instructions
  2. Give them your password
  3. Call them back
  4. Hang up

Q23: If you receive a suspicious email, should you?

  1. Reply to it
  2. Open the attachments
  3. Click the links
  4. Report it to the phishing reporting mailbox of your government

Q24: You’re being texted that your parcel delivery will be delayed. In order to expedite it you need to?

  1. Reply to the text
  2. Click on the link provided in the sms
  3. Think first. Am I expecting anything? If not report and delete the sms

Q25: Is the following statement true or false. Because operating system updates are time consuming and may need to restart the machine it's a good idea to postpone them as long as possible.

  1. Yes
  2. No

Q26: Which of the following statements are correct?

  1. Phishing is a form of social engineering.
  2. Phishing is a so called "spray and pray" technique in which an attacker sends out the same email to hundreds of potential targets in the hope they will fall victim.
  3. All of the above

Q27: Imagine you work for the finance department of a company. You received an email from your company’s CEO and they want you to immediately transfer a few millions to a bank account provided in the email. Will you execute the transaction?

  1. Yes, I will do so if my CEO asks me.
  2. I will only execute the transaction after I got confirmation from the CEO through another channel.

Q28: If you suddenly see the following page in the browser, is it a good idea to claim your present?

  1. Yes
  2. No

Q29: Which of the following statements about a phishing email are true?

  1. The email comes out of the blue. There's no context or previous contact with the sender
  2. The email contains a sense of urgency to get a particular action done
  3. All of the above

Q30: You receive a SMS from a supplier/vendor who asks you to click on a link to renew your contract. You should:

  1. Proceed without worrying
  2. Don’t proceed by clicking on the link in SMS

Q31: Which month is considered or recognized as Cyber Security Month?

  1. September
  2. October
  3. November
  4. December

Q32: The person who performs a social engineering attack is known as?

  1. An Information Engineer
  2. A Social Engineer
  3. A Social Media Activist

Q33: Imagine you find a USB device in the hallway at work. What's the best thing to do?

  1. Pick it up and plug it in to see what’s on the USB device. Maybe you can identify the owner.
  2. Leave it in the hallway or bring it to the reception desk, such that the person who lost it can get it back.
  3. Pick it up, don't plug it in but inform your IT department because this could be a USB device containing malware to infect your company's systems.

Q34: Which URL(s) bring(s) you to Google’s Home Page?

  4. All of above

Q35: Which of the following URLs could NOT be used in a so called 'Typosquatting Attack'?

  4. All of the above

Q36: You receive the following email which contains "This message was sent from a trusted sender" in the body. Does this mean you can trust that this email is legitimate?

  1. Yes
  2. No

Q37: If you receive the following email, is it a good idea to proceed to get help from CBD?

  1. Yes
  2. No

Q38: You receive the following invite to take a quiz. You decide to take the quiz to receive the free glasses. This is...

  1. A good idea, free stuff is always nice
  2. This is a bad idea, this is a scam to steal my personal data

Q39: Which of the following things help to decide whether an online shopping website is trustworthy?

  1. The address of the website starts with 'https://'
  2. There's a seal on the website that says '100% secure'
  3. Do a bit of research to see whether the site has a good reputation
  4. Read on the website and look for positive reviews of other customers

Q40: For online shopping it's best to use...?

  1. A credit card
  2. A debit card

Q41: I don’t use a PIN on my smartphone but keep it with me. What could go wrong?

  1. When I lose it all my information and apps are accessible by the finder.
  2. When I leave my phone unattended, miscreants can gain access to all my online accounts using my email address.
  3. When my phone gets stolen the thieves can access all my information and apps.
  4. All of the above.

Q42: Is it a good idea to pay criminals that encrypted the files on your computer by deploying so called ransomware? Why or why not? Select all applicable answers.

  1. Yes, because you can be sure you will regain access to your files.
  2. Yes, because you don't have to care about backups yourself.
  3. No, because you have no guarantee that you will regain access to your files.
  4. No, because even when you get your files back criminals might attack you later again because they are still active on your network.

The answers to these questions can be found here


A big thank you to the following people for contributing:

Radoslaw Gnat, Tim Morgan

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life