Cybersecurity Basics Quiz

11 – 41 Questions 13 min

This quiz checks day-to-day cyber hygiene required by CISA recommendations and NIST guidance: password manager use, phishing detection, MFA, patching, and secure Wi‑Fi/VPN behavior. Consistent execution prevents workplace incidents like account takeover and ransomware. Non-compliance can trigger data breaches, audit findings, and costly downtime, so treat it as reinforcement of mandatory training. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))

Start

Choose quiz length

1Enabling automatic updates helps ensure known vulnerabilities are patched promptly.

True / False

2It is acceptable to share your password with a coworker if they need urgent access.

True / False

3While traveling, you must approve payroll but only an open airport Wi‑Fi network is available. What should you do?

4If you delete a suspicious email, there is no need to notify IT or security.

True / False

5Which practice most reduces the risk that one leaked password will expose multiple workplace accounts?

6Using a corporate VPN on public Wi‑Fi helps protect your traffic from interception.

True / False

7Where should you store sensitive client files to meet typical corporate security and compliance requirements?

8Which accounts should you prioritize first for enabling multi-factor authentication (MFA)?

9You receive an email marked “URGENT: Overdue Invoice” with a link to “view invoice.” The vendor is one you sometimes use. What is the safest next step?

10You find an unmarked USB drive in the office parking lot. What should you do?

11Your laptop prompts you to update the browser during work hours. What is the best security action?

12Which password is strongest?

13At a hotel, the Wi‑Fi requires a browser “sign-in” page and you need to upload a sensitive file to a corporate system. What is the safest approach?

14Select all that apply. Which are common phishing red flags in messages asking you to click a link or open a file?

Select all that apply

15You clicked a link in a message and entered your login details before realizing the page looked suspicious. What should you do immediately?

16Select all that apply. Which practices strengthen passwords and reduce account takeover risk?

Select all that apply

17Arrange these actions in the safest order when you receive a suspicious email containing a link.

Put in order

1Report the email using your organization’s process

2Pause and avoid clicking anything

3Hover over the link to preview the destination

4Verify using a separate channel (known phone number/typed URL)

5Inspect the sender address and message details

18Select all that apply. Which actions reduce risk when working remotely on untrusted networks?

Select all that apply

19Arrange the best sequence of actions after you suspect you opened a malicious attachment on your work device.

Put in order

1Disconnect from networks if you can do so safely

2Stop interacting with the suspicious content

3Record what happened (time, subject line, screenshots)

4Report immediately through official IT/security channels

5Follow IT/security instructions for containment and recovery

20Arrange the typical steps to enroll an account in MFA in the correct order.

Put in order

1Open Security/Authentication settings

2Confirm by completing an MFA challenge

3Register an MFA method (app key, hardware key, etc.)

4Save backup codes or recovery options

5Sign in to the account

21Select all that apply. Which endpoint security practices help reduce risk from software vulnerabilities?

Select all that apply

22Arrange these steps in the safest order to access a sensitive system (like payroll) while traveling.

Put in order

1Start the corporate VPN

2Verify the VPN is connected

3Log in to the sensitive system

4Connect your laptop to the hotspot

5Log out and disconnect when finished

6Enable your phone’s hotspot

23You receive a text message with a one-time code to reset your corporate email password, but you didn’t request it. Soon after, someone calls claiming to be IT and asks you to read the code. What should you do?

24Sending client documents to your personal email to work on them later is an approved way to handle sensitive data.

True / False

25Why is it safer to use a standard (non-admin) account for everyday work?

Disclaimer

This quiz is for educational purposes only. It does not replace official safety training, certification, or regulatory compliance programs.

Cyber Hygiene Mistakes That Cause Preventable Workplace Incidents

Most security failures covered by this quiz aren’t “advanced hacking”—they’re repeatable process breakdowns in email handling, authentication, patching, and data storage. The patterns below map directly to CISA’s user-facing guidance and to the identity and risk-management practices NIST documents emphasize. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))

Authentication and password handling

Reusing passwords (or “small variations”) across SaaS tools and personal accounts. Avoid it: use a password manager and unique passphrases per account; assume credential stuffing is routine.
Treating MFA as optional for “non-critical” apps (then attackers pivot via SSO, mailbox rules, or shared drives). Avoid it: enable MFA everywhere it’s offered, starting with email, VPN, admin consoles, and financial systems. ([cisa.gov](https://www.cisa.gov/secure-our-world/require-multifactor-authentication?utm_source=openai))
Approving unexpected MFA prompts (push fatigue) instead of stopping and reporting. Avoid it: deny the prompt, change the password from a trusted device, and notify IT/security immediately.

Email, links, and attachments

Trusting display names instead of verifying the actual sender address and domain. Avoid it: inspect headers/address details and verify payment or credential requests out-of-band.
Clicking “to be safe” (e.g., “reset your password” links) and then entering credentials on a look-alike site. Avoid it: navigate using bookmarks/typed URLs, and report suspicious messages. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))

Device and network hygiene

Delaying updates because “it still works.” Avoid it: allow automatic updates where possible; schedule reboots so security patches actually apply.
Working on open public Wi‑Fi without protections and assuming HTTPS is enough. Avoid it: prefer a mobile hotspot; if policy allows, use a corporate VPN and avoid sensitive admin actions on untrusted networks.
Storing work data in uncontrolled locations (personal cloud drives, unencrypted USB) which breaks retention, access control, and incident response. Avoid it: use only approved storage with logging and access controls.

Incident reporting and containment

Trying to “self-fix” quietly (deleting the email, rebooting, unplugging) and never reporting. Avoid it: report quickly with what happened, when, and what you clicked/entered; speed improves containment.

Workday Cybersecurity Decision Drills (Email, Devices, Networks)

Use these short drills to rehearse the exact “stop-and-think” decisions the quiz targets: verifying identity, protecting credentials, maintaining secure configurations, and escalating potential incidents before they spread. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))

Email and messaging scenarios

“Urgent invoice” link from a known vendor: the email threatens service suspension and includes a one-click payment link.

Best action: verify the sender domain, then access the vendor portal via a saved bookmark/typed URL (not the email link); confirm by calling a known number if anything is off; report as suspected phishing. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))
Shared document invite: a file-sharing notification asks you to sign in to view a “policy update,” but the sign-in page looks slightly different.

Best action: do not enter credentials; open the collaboration tool directly and check “shared with me”; report the message so security can block similar lures.
CEO text request: a text claims to be an executive asking for gift cards “before a meeting.”

Best action: treat it as social engineering; verify via an approved internal channel (directory number/Teams) and follow purchasing approval rules—no exceptions for urgency.

Authentication and account access scenarios

MFA push you didn’t initiate: you receive repeated login approval prompts while not signing in.

Best action: deny prompts, stop what you’re doing, notify IT/security, and reset credentials from a trusted device; assume credentials may be compromised. ([cisa.gov](https://www.cisa.gov/secure-our-world/require-multifactor-authentication?utm_source=openai))
Password reset call: “Help desk” asks you to read a one-time verification code to “confirm your identity.”

Best action: never share one-time codes; hang up and call the official support number; report the impersonation attempt.

Device, patching, and network scenarios

Update prompt during a deadline: your laptop requests a reboot for security updates.

Best action: schedule the reboot as soon as feasible per policy; don’t defer indefinitely—unpatched known vulnerabilities are routinely exploited.
Airport Wi‑Fi + payroll approval: open network, no password, and you need to approve payroll.

Best action: use a mobile hotspot (preferred) or corporate VPN if permitted; avoid administrative actions on untrusted networks when you can safely delay.
Found USB drive: labeled “Q1 layoffs” in the parking lot.

Best action: do not plug it in; follow your org’s media handling/reporting process so it can be assessed safely.

Cybersecurity Basics: 5 Non‑Negotiable Habits for Compliance

Use unique credentials everywhere and store them in a password manager so one breached site can’t cascade into SSO, email, and payroll compromise.
Enable MFA on all accounts that support it—starting with email and remote access—and treat unexpected prompts as an incident to report, not an annoyance to dismiss. ([cisa.gov](https://www.cisa.gov/secure-our-world/require-multifactor-authentication?utm_source=openai))
Assume urgent, surprising, or “too easy” requests are suspicious; verify payment and login requests out-of-band instead of replying or clicking in-message. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))
Patch and reboot on a schedule; an update that’s downloaded but never applied is still a vulnerability window.
Keep sensitive work data only in approved, monitored storage so access control, retention, and incident response work as designed—and report mistakes immediately to limit harm.

Cybersecurity Basics Glossary for Daily Work (With Examples)

Phishing: A deceptive message designed to trick you into clicking a link, opening an attachment, or sharing credentials. Example: An “invoice overdue” email that sends you to a fake login page. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))
Spear phishing: Targeted phishing tailored to a person or role using real details. Example: A message referencing your current project and a real coworker’s name to increase trust.
Credential stuffing: Automated login attempts using stolen username/password pairs from other breaches. Example: Attackers try your personal leaked password against your work SaaS accounts.
Multi-factor authentication (MFA): Sign-in that requires something you know plus something you have/are. Example: Password + an authenticator app code when accessing email remotely. ([cisa.gov](https://www.cisa.gov/secure-our-world/require-multifactor-authentication?utm_source=openai))
Phishing-resistant MFA: MFA methods that strongly reduce the chance of being tricked by a fake site. Example: A hardware security key that validates the real website before authenticating.
Patch: A software update that fixes security flaws or bugs. Example: Installing a browser update that closes a known vulnerability used in drive-by attacks.
Least privilege: Giving users only the access needed for their job, no more. Example: A user can approve invoices but cannot create new vendor bank accounts.
VPN (Virtual Private Network): An encrypted tunnel that protects traffic between your device and a trusted network. Example: Using the corporate VPN on hotel Wi‑Fi before accessing internal systems.

Authoritative CISA + NIST References for Cyber Hygiene

CISA: Recognize and Report Phishing — Practical cues for spotting suspicious messages and the reporting behaviors that reduce organizational impact. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))
CISA: Require Multifactor Authentication — Why MFA matters, common MFA methods, and implementation guidance for organizations and users. ([cisa.gov](https://www.cisa.gov/secure-our-world/require-multifactor-authentication?utm_source=openai))
CISA: Cybersecurity Performance Goals (CPGs) — Baseline cyber practices and prioritization guidance that help organizations reduce common attack paths. ([cisa.gov](https://www.cisa.gov/cybersecurity-performance-goals-cpgs?utm_source=openai))
NIST: Cybersecurity Framework (CSF) — The high-level risk management framework used to structure policies, roles, and continuous improvement. ([nist.gov](https://www.nist.gov/cyberframework?utm_source=openai))
NIST SP 800-63B: Digital Identity Guidelines (Authentication) — Detailed guidance on authenticators and password (memorized secret) verifier practices used in modern identity programs. ([pages.nist.gov](https://pages.nist.gov/800-63-4/sp800-63b.html?utm_source=openai))

Cybersecurity Basics FAQ for Employees and Supervisors

What should I do immediately after I clicked a suspicious link or entered credentials?

Stop interacting with the page, disconnect only if your policy instructs you to (don’t “wipe evidence” by reinstalling software), and report to IT/security immediately with what you clicked, the time, and what you typed. If you entered a password, change it from a known-clean device and expect a reset or token revocation workflow. Fast reporting limits lateral movement and helps security block the campaign for everyone.

Why is MFA still required if I already use a long, complex password?

Passwords are frequently stolen via phishing, malware, or reuse from unrelated breaches. MFA adds an additional control so a password alone is less likely to result in account takeover—especially for email, VPN, and administrative functions. Your quiz scenarios may also cover push fatigue; never approve prompts you didn’t initiate. ([cisa.gov](https://www.cisa.gov/secure-our-world/require-multifactor-authentication?utm_source=openai))

Is SMS/text-message MFA “good enough,” or should we use an authenticator app or security key?

SMS can be better than no MFA, but it has known weaknesses (e.g., number-porting attacks). Many organizations prefer authenticator apps, and higher-risk roles increasingly move toward phishing-resistant options such as security keys or device-bound methods. Follow your organization’s approved MFA methods and treat any downgrade request as suspicious.

When does a message count as phishing if it comes from a real coworker’s account?

If a coworker’s mailbox is compromised, their messages can deliver malicious links, attachment malware, or fraudulent payment requests while looking “normal.” Treat unexpected urgency, unusual file types, new payment instructions, or requests for credentials/one-time codes as red flags, even when the sender is internal. Use a separate channel to verify before acting. ([cisa.gov](https://www.cisa.gov/secure-our-world/recognize-and-report-phishing?utm_source=openai))

Does NIST require frequent password rotation?

NIST’s digital identity guidance emphasizes strong authenticator management and verifier practices rather than routine, calendar-based password changes for everyone. Many organizations now focus on unique passwords, MFA, detection, and changing credentials when there’s evidence of compromise or elevated risk. Always follow your organization’s policy, but understand the rationale: forced frequent changes can drive predictable patterns and unsafe storage habits. ([pages.nist.gov](https://pages.nist.gov/800-63-3/sp800-63b.html?utm_source=openai))

Is it acceptable to use public Wi‑Fi for work if I’m using a VPN?

A corporate VPN can significantly reduce exposure on untrusted networks, but it doesn’t make every action risk-free: device compromise, unsafe Wi‑Fi portals, and credential theft via phishing can still occur. Prefer a mobile hotspot for sensitive actions (finance, admin changes) and keep your device fully patched. If you want deeper practice on network basics behind this, pair this quiz with Basic Networking Quiz - Free Practice Questions.

How do cybersecurity basics connect to data privacy and compliance obligations?

Cyber hygiene controls (access control, MFA, patching, secure storage, timely reporting) directly support confidentiality and integrity expectations in many privacy and contractual regimes. A single compromised mailbox can become a reportable breach if regulated data is exposed. For scenarios focused on handling sensitive data, see Data Protection Quiz.