Security Awareness Quiz

Correct answer: C

Never click links or enter credentials based on an email request, even if it appears to come from IT. Legitimate IT departments will not ask for your password via email. Contact IT directly through a known, trusted channel (phone, in-person, or an email address you already have) to verify whether the request is real. Do not reply to the suspicious email (option B) because you would be communicating with the attacker. Do not forward it to coworkers (option D) without IT guidance, as they might click the link.

Correct answer: B

"correct-horse-battery-staple" is 28 characters long and extremely difficult to brute-force, even though it uses only lowercase letters and hyphens. Option A looks complex but is a common variation that appears in attacker dictionaries. Option C is only 8 characters and can be cracked relatively quickly despite its complexity. Option D is a trivially guessable password. Length beats complexity. A long passphrase made of random words is both stronger and easier to remember than a short, complex password.

Correct answer: B

Lock your screen every time you leave your desk, even for a short time. It takes less than two seconds and prevents anyone from accessing your accounts, emails, or patient data while you are away. Shutting down (option C) is unnecessary for a short absence and wastes time. Turning off the monitor (option D) provides no security since anyone can turn it back on and access your unlocked session. An unlocked computer in a healthcare environment could lead to a HIPAA violation if unauthorized individuals view patient information on your screen.

Correct answer: C

Legitimate support teams will never ask for your password over the phone. This is a classic social engineering tactic called vishing (voice phishing). The correct response is to hang up and call the vendor's official support number, which you can find on their website or in your contract. Option B is also dangerous because giving out your username helps the attacker. Option D is a trap: attackers may have some of your account details already (from a previous breach or from publicly available information) and can use them to build false credibility.

Correct answer: C

Patient names, dates of birth, and appointment dates are Protected Health Information (PHI) under HIPAA. PHI must never be sent to personal email accounts, regardless of who is requesting it. Personal email accounts are not covered by your organization's security controls or Business Associate Agreements. Password-protecting the file (option B) does not make it compliant. Deleting the email (option D) does not undo the exposure. Instead, help your coworker access the data through approved channels such as VPN, a secure remote desktop, or a company-managed cloud platform.

Correct answer: C

Dropping USB drives with enticing labels is a well-known attack technique called a USB drop attack (or baiting). The drive may contain malware that installs automatically when plugged in. The label "Employee Salary Data" is designed to exploit curiosity. Never plug in an unknown USB drive, even on an air-gapped computer (option B), as some malware can later transfer when the device reconnects. Do not throw it away (option D) because IT may want to analyze it to understand if the organization is being targeted. Turn it over to IT and let them handle it safely.

Correct answer: D

Both options B and C are acceptable. A VPN encrypts all traffic between your device and your company's network, making it safe to use even on untrusted public Wi-Fi. Using your phone's cellular hotspot avoids the public network entirely, which is also secure. Option A is risky because public Wi-Fi can be monitored by attackers through man-in-the-middle attacks, or the entire network could be a fake "evil twin" set up by an attacker. The key principle: never access work resources on an untrusted network without a VPN.

Correct answer: C

Report it immediately, regardless of what appeared to happen on screen. Malware can install silently in the background without any visible indication. A "broken" page may have successfully executed malicious code before showing the error. Waiting to see what happens (option D) gives the malware time to spread, exfiltrate data, or establish a persistent connection. Running antivirus yourself (option B) is helpful but not sufficient since you may not have the latest threat signatures, and IT needs to check other systems for signs of the same attack. Fast reporting is always the right call.

Correct answer: B

An unexpected MFA prompt means someone has your password and is actively trying to log in to your account right now. Deny the request immediately and report it to IT. Your password has been compromised and needs to be changed right away. Ignoring it (option C) is dangerous because attackers may send repeated prompts hoping you will eventually approve one out of frustration (this is called MFA fatigue or MFA bombing). Never approve an MFA request you did not initiate. Approving and then changing your password (option D) gives the attacker access to your account, even briefly.

Correct answer: C

Deleting files and emptying the Recycle Bin (option A) does not actually remove the data. It only removes the references to the files, and the data can be recovered with freely available tools. Formatting (option B) is slightly better but still recoverable with specialized software. Throwing a hard drive in the trash (option D) is both insecure and often violates e-waste regulations. For devices that stored PHI, HIPAA requires that ePHI be rendered unrecoverable before disposal. This means either a certified multi-pass data wipe with a certificate of destruction, or physical destruction (degaussing, shredding, or drilling). Document the disposal for your compliance records.