Format per question: * cat — category string * q — question text * opts — array of 4 answer strings * ans — index (0–3) of the correct answer * exp — explanation shown after answering * * Categories: * Phishing (20) * Passwords & MFA (15) * Safe Browsing (15) * Device Security (15) * Social & Privacy (15) * Incident Response (10) * Threats & Concepts (10) */ const ALL_QUESTIONS = [ /* ════════════════════════════════════════ PHISHING (20 questions) ════════════════════════════════════════ */ { cat: "Phishing", q: "You receive an urgent email saying your bank account will be frozen in one hour unless you click a link. What is the safest first step?", opts: [ "Click the link quickly to avoid losing access", "Call your bank using the number on your debit card to verify", "Reply to the email asking for more time", "Forward the email to friends for their opinion" ], ans: 1, exp: "Legitimate banks never demand immediate action via email. Always verify by calling the official number printed on your card or found on the bank's real website." }, { cat: "Phishing", q: "Which of these is the strongest indicator that an email is a phishing attempt?", opts: [ "The email uses your first name", "The reply-to address is different from the displayed sender address", "The email includes an unsubscribe link", "The email was received on a weekend" ], ans: 1, exp: "A mismatched reply-to address is a classic phishing tell — the display name looks legitimate, but replies route to the attacker's inbox." }, { cat: "Phishing", q: "A text message from 'HMRC' says you owe taxes and will be arrested unless you pay immediately. What should you do?", opts: [ "Pay using the link provided to avoid arrest", "Ignore and delete it — government agencies never threaten immediate arrest via text", "Reply with your National Insurance number to verify your identity", "Call the phone number provided in the text" ], ans: 1, exp: "Government agencies never demand instant payment by text or threaten immediate arrest. This is a classic smishing (SMS phishing) scam." }, { cat: "Phishing", q: "You hover over a link labelled 'Microsoft Support' and the URL shown is 'micros0ft-helpdesk.xyz'. What should you do?", opts: [ "Click it — Microsoft is a trusted brand so it is safe", "Do not click it — the misspelled domain and suspicious TLD are phishing indicators", "Click it only if you are on a work computer", "The .xyz extension guarantees it is legitimate" ], ans: 1, exp: "Typosquatted domains (using zero instead of 'o') and unusual TLDs like .xyz are strong phishing signals. Never click such links." }, { cat: "Phishing", q: "Spear phishing differs from bulk phishing because it:", opts: [ "Uses better graphic design", "Is targeted at a specific individual using personal details gathered in advance", "Only targets mobile devices", "Requires the victim to open an attachment" ], ans: 1, exp: "Spear phishing uses personal information — name, employer, role, recent activity — to craft highly convincing targeted messages." }, { cat: "Phishing", q: "An email asks you to open an attached Word document to view an invoice. What is the primary risk?", opts: [ "Word documents are always safe to open", "The document may contain malicious macros that install malware on execution", "Only PDF attachments are dangerous", "Attachments from known-looking senders are always safe" ], ans: 1, exp: "Malicious macros embedded in Office documents are a leading malware delivery method, even when the sender appears familiar." }, { cat: "Phishing", q: "What does 'smishing' mean?", opts: [ "Phishing via social media platforms", "Phishing delivered through SMS text messages", "Phishing that creates fake websites", "Phishing targeting small businesses" ], ans: 1, exp: "Smishing = SMS phishing. Attackers send text messages with malicious links, often impersonating banks, delivery services, or government agencies." }, { cat: "Phishing", q: "You receive a LinkedIn message from your CEO asking you to urgently buy gift cards for a client. What should you do?", opts: [ "Buy the cards — the request came from the CEO's LinkedIn profile", "Verify the request by calling the CEO on their known direct number", "Reply via the LinkedIn thread to ask for more details", "Ignore it — executives never use LinkedIn for business" ], ans: 1, exp: "CEO gift card fraud is extremely common. Always verify unusual financial requests through a separate, trusted channel before acting." }, { cat: "Phishing", q: "A browser pop-up warns your computer is infected and displays a phone number to call for help. This is most likely:", opts: [ "A legitimate warning from Windows Defender", "A tech support scam — close the browser and do not call the number", "A genuine alert from your antivirus software", "A notification from your internet service provider" ], ans: 1, exp: "Legitimate security software never shows phone numbers in browser pop-ups. This is a tech support scam designed to steal money or remote access." }, { cat: "Phishing", q: "What is 'whaling' in the context of phishing?", opts: [ "Bulk phishing emails sent to millions of random users", "Highly targeted phishing attacks aimed specifically at senior executives", "Phishing conducted via WhatsApp", "Using large file attachments as email bait" ], ans: 1, exp: "Whaling targets high-value individuals — CEOs, CFOs, board members — with sophisticated, personalised attacks often involving fake legal or financial documents." }, { cat: "Phishing", q: "What is 'vishing'?", opts: [ "Phishing via video calls", "Phishing conducted by voice — typically phone calls impersonating trusted organisations", "Visual phishing using fake websites", "Phishing that targets virtual machines" ], ans: 1, exp: "Vishing (voice phishing) uses phone calls. Attackers impersonate banks, tech support, HMRC, or colleagues to extract credentials or money." }, { cat: "Phishing", q: "An email contains correct grammar, your full name, your employer's name, and refers to a project you are working on. This is most likely:", opts: [ "A legitimate internal email", "A spear phishing email using information gathered from public sources such as LinkedIn", "A mass phishing email that got lucky", "An automated HR notification" ], ans: 1, exp: "Attackers use OSINT (open source intelligence) from LinkedIn, company websites, and social media to craft convincing personalised phishing messages." }, { cat: "Phishing", q: "Which of the following is the safest action when you receive an unexpected email with a link asking you to reset your password?", opts: [ "Click the link — it is probably a legitimate security prompt", "Ignore the email and go directly to the website yourself to check your account", "Click the link only if the email looks professional", "Forward it to colleagues to see if they received the same email" ], ans: 1, exp: "Navigating directly to the website by typing the URL yourself guarantees you reach the real site, not a phishing replica." }, { cat: "Phishing", q: "What makes Business Email Compromise (BEC) particularly dangerous?", opts: [ "It always contains malware attachments", "It uses compromised or spoofed legitimate email accounts to make fraudulent requests appear genuine", "It targets only large enterprises", "It is easily detected by standard spam filters" ], ans: 1, exp: "BEC uses real or convincingly spoofed email accounts, bypassing technical filters and exploiting human trust. It caused over $2.9 billion in losses in 2023." }, { cat: "Phishing", q: "A colleague forwards you an email asking you to urgently approve a change to your organisation's bank payment details. What should you do?", opts: [ "Approve it — the request came from a known colleague", "Verify the change by calling the finance team directly using a known number before approving anything", "Check if the email address looks correct, then approve", "Approve it if the amount is under your authorisation threshold" ], ans: 1, exp: "Payment redirection fraud is a major BEC attack type. Always verify bank detail changes through a separate, pre-existing communication channel." }, { cat: "Phishing", q: "What does 'angler phishing' mean?", opts: [ "Phishing attacks timed to coincide with fishing seasons", "Phishing conducted via fake social media customer service accounts targeting people who complain online", "Phishing emails that use angling or outdoor sports themes", "Phishing that targets financial trading platforms" ], ans: 1, exp: "Angler phishing exploits social media. Attackers create fake brand support accounts and intercept complaints, directing victims to credential-harvesting pages." }, { cat: "Phishing", q: "You receive an email saying a package could not be delivered and asking you to click a link to reschedule. You were not expecting a delivery. What should you do?", opts: [ "Click the link — delivery companies often send these emails", "Do not click the link. If you are expecting something, go directly to the carrier's official website using a search engine", "Click the link only if your email provider did not mark it as spam", "Open the link on your phone instead of your computer" ], ans: 1, exp: "Parcel delivery phishing is one of the most common smishing and email phishing lures. Always access carrier tracking through their official website directly." }, { cat: "Phishing", q: "What is a 'watering hole' attack?", opts: [ "Flooding a server with requests to cause it to fail", "Compromising a website that the target audience is known to visit, then infecting visitors with malware", "Phishing emails that target water utility companies", "An attack that targets outdoor event organisers" ], ans: 1, exp: "Watering hole attacks compromise legitimate websites frequented by the intended victims, silently infecting visitors with malware without requiring any direct contact." }, { cat: "Phishing", q: "Which technical control helps organisations defend against phishing emails that spoof their domain?", opts: [ "Installing a VPN on all employee devices", "Implementing DMARC, DKIM, and SPF email authentication records", "Blocking all external emails", "Requiring employees to change passwords monthly" ], ans: 1, exp: "DMARC, DKIM, and SPF are email authentication standards that verify senders and prevent attackers from spoofing a legitimate organisation's email domain." }, { cat: "Phishing", q: "You receive an email with an attached QR code asking you to scan it to verify your account. This is known as:", opts: [ "A legitimate verification method used by most companies", "Quishing — QR code phishing designed to bypass email link scanners", "A standard two-factor authentication step", "A secure out-of-band verification method" ], ans: 1, exp: "Quishing embeds malicious URLs in QR codes. Because email security tools scan text links rather than images, QR codes often bypass automated defences." }, /* ════════════════════════════════════════ PASSWORDS & MFA (15 questions) ════════════════════════════════════════ */ { cat: "Passwords & MFA", q: "What makes a passphrase like 'correct-horse-battery-staple' stronger than 'P@ssw0rd1!'?", opts: [ "It contains more special characters", "It is significantly longer and composed of random words, giving it far more entropy", "It is easier for password systems to remember", "It uses more numbers" ], ans: 1, exp: "Length is the primary driver of password strength. Four random words create more combinations than a short complex password, making brute-force attacks impractical." }, { cat: "Passwords & MFA", q: "Why is reusing the same password across multiple accounts dangerous?", opts: [ "It causes websites to load more slowly", "If one site is breached, all accounts using that password become vulnerable through credential stuffing", "Password managers cannot store reused passwords correctly", "It violates most websites terms of service" ], ans: 1, exp: "Credential stuffing attacks automatically try leaked username and password pairs against other services. Unique passwords per site limit the damage of any single breach." }, { cat: "Passwords & MFA", q: "You receive an unexpected MFA push notification on your phone that you did not initiate. What should you do?", opts: [ "Approve it to clear the notification", "Deny it immediately, then change your password and review account activity for unauthorised access", "Ignore it — it will expire on its own", "Approve it if it arrives during business hours" ], ans: 1, exp: "An unexpected MFA prompt means someone already has your password and is attempting to log in. Denying and resetting cuts off the attack. This is called an MFA fatigue attack." }, { cat: "Passwords & MFA", q: "Which type of MFA is the most resistant to phishing attacks?", opts: [ "SMS one-time codes", "Email magic links", "FIDO2 hardware security keys such as a YubiKey", "Backup recovery codes stored in your email" ], ans: 2, exp: "FIDO2 keys are phishing-resistant because they cryptographically verify the exact domain. A fake login page cannot intercept or replay the authentication." }, { cat: "Passwords & MFA", q: "What is the primary security risk of using SMS codes as your MFA method?", opts: [ "SMS codes expire too quickly to use reliably", "SIM-swapping attacks can redirect your texts to an attacker's phone number", "SMS codes require a data connection to receive", "SMS codes are stored in plain text on your device" ], ans: 1, exp: "SIM-swapping involves convincing your mobile carrier to transfer your number to an attacker's SIM, allowing them to receive your SMS verification codes." }, { cat: "Passwords & MFA", q: "You discover your email address appears in a known data breach. What should you do first?", opts: [ "Delete the compromised email account immediately", "Change the password on the breached account and check if you reused that password anywhere else", "Wait and monitor to see if anything suspicious happens", "Contact the breached company and ask them to remove your data" ], ans: 1, exp: "Changing the compromised password cuts off immediate access. Auditing for reuse across other accounts prevents cascading compromise through credential stuffing." }, { cat: "Passwords & MFA", q: "A password manager's master password is used to:", opts: [ "Log you into every website automatically without any further input", "Decrypt the encrypted local vault where all your other passwords are stored", "Send password reset emails when you forget a password", "Share your passwords securely with family members" ], ans: 1, exp: "The master password decrypts your vault. It should be a strong passphrase and must never be stored digitally anywhere outside the password manager itself." }, { cat: "Passwords & MFA", q: "What is 'credential stuffing'?", opts: [ "Brute-forcing a password by trying every possible combination in sequence", "Using leaked username and password pairs from one breach to automatically attack logins on other services", "Inserting fake credentials into a target database", "Creating large numbers of fake accounts to harvest login pages" ], ans: 1, exp: "Credential stuffing exploits password reuse. Attackers buy or download breach databases and automatically test each pair against banking, email, and retail sites." }, { cat: "Passwords & MFA", q: "A colleague asks for your password so they can finish urgent work while you are on leave. What is the risk?", opts: [ "The password might stop working if shared", "Both individuals become accountable for any action taken under that single account, eliminating individual accountability", "Passwords expire faster when shared between people", "There is no risk if you fully trust the colleague" ], ans: 1, exp: "Shared credentials destroy non-repudiation — the ability to prove who did what. Both parties can be implicated in each other's actions, and the attack surface doubles." }, { cat: "Passwords & MFA", q: "What is a rainbow table attack?", opts: [ "An attack that tries passwords in a random colour-coded sequence", "Using precomputed tables of password hashes to crack hashed passwords quickly without brute-forcing", "An attack that targets colourful or visually prominent websites", "A social engineering attack that uses a colourful PDF attachment" ], ans: 1, exp: "Rainbow tables contain precomputed hashes. Adding a unique salt to each password before hashing defeats rainbow table attacks by making precomputation impractical." }, { cat: "Passwords & MFA", q: "Which of the following is the best description of 'passwordless authentication'?", opts: [ "Removing the need to log in altogether", "Replacing passwords with stronger factors such as biometrics, magic links, or hardware keys", "Storing passwords in a shared team document so nobody needs to remember them", "Using the same simple password across all accounts for convenience" ], ans: 1, exp: "Passwordless authentication eliminates the weakest factor by replacing passwords with inherently stronger alternatives like FIDO2 passkeys or biometric verification." }, { cat: "Passwords & MFA", q: "According to NIST guidelines, which password policy is considered better practice?", opts: [ "Mandatory complexity rules (uppercase, numbers, symbols) with monthly rotation", "Long passphrases with no mandatory rotation unless a breach is detected", "Passwords of at least six characters changed weekly", "Complexity rules without any minimum length requirement" ], ans: 1, exp: "NIST 800-63B recommends avoiding forced rotation and arbitrary complexity rules, which cause predictable password patterns. Length and breach-detection-based resets are preferred." }, { cat: "Passwords & MFA", q: "What is a 'passkey'?", opts: [ "A master password that unlocks a password manager", "A FIDO2-based cryptographic credential stored on your device that replaces passwords entirely", "A one-time SMS code used for account recovery", "A printed backup code kept in a safe location" ], ans: 1, exp: "Passkeys use public-key cryptography. A private key stays on your device; the service only holds the public key. They are phishing-resistant and require no shared secret." }, { cat: "Passwords & MFA", q: "Why should you enable MFA on your email account before any other service?", opts: [ "Email accounts receive the most spam", "Email is the master recovery key — a compromised email inbox can be used to reset passwords for almost every other account", "Email providers have weaker security than social media platforms", "Email MFA is the easiest type to set up" ], ans: 1, exp: "Almost every 'Forgot my password' flow sends a reset link to your email. If an attacker controls your inbox, they control access to every linked account." }, { cat: "Passwords & MFA", q: "What should you do if you receive multiple MFA push requests in quick succession that you did not initiate?", opts: [ "Approve one of them to stop the flood of notifications", "Deny all of them, then immediately change your password and report it to your IT or security team", "Turn off your phone until the notifications stop", "Wait 24 hours and check your account for suspicious activity" ], ans: 1, exp: "Repeated unsolicited MFA pushes is a hallmark of an MFA fatigue attack — the attacker has your password and hopes you approve out of frustration or mistake." }, /* ════════════════════════════════════════ SAFE BROWSING (15 questions) ════════════════════════════════════════ */ { cat: "Safe Browsing", q: "A padlock icon appears in your browser's address bar. What does this confirm?", opts: [ "The website is legitimate and verified as safe to use", "The connection between your browser and the site is encrypted, but it does not verify the site's legitimacy", "The site has been approved by a government cybersecurity agency", "Your personal data cannot be stolen from this site under any circumstances" ], ans: 1, exp: "HTTPS encrypts data in transit. It does not verify who runs the website. Phishing sites routinely use HTTPS and display a padlock to appear trustworthy." }, { cat: "Safe Browsing", q: "What is a 'drive-by download'?", opts: [ "Malware that installs itself when you visit a compromised or malicious website, requiring no clicks", "A legitimate software update that installs automatically in the background", "A download that requires no password to access", "Malware spread exclusively through USB flash drives" ], ans: 0, exp: "Drive-by downloads exploit browser or plugin vulnerabilities to install malware silently — simply visiting a page is enough. Keeping browsers updated closes these attack vectors." }, { cat: "Safe Browsing", q: "What is the safest way to visit your bank's website?", opts: [ "Click the link in the most recent email from your bank", "Search on Google and click the sponsored top result", "Type the address directly into the browser address bar", "Follow a link shared in a banking advice forum" ], ans: 2, exp: "Typing the URL directly prevents phishing redirects. Both search results and email links can be manipulated to lead to convincing fake sites." }, { cat: "Safe Browsing", q: "What is 'typosquatting'?", opts: [ "Typing your password incorrectly multiple times until an account is locked", "Registering domain names that are common misspellings of legitimate sites to capture mistyped traffic", "Squatting on domains whose registrations have expired in order to resell them", "Using browser autocorrect to alter website addresses" ], ans: 1, exp: "Typosquatters register domains like 'gooogle.com' or 'amaz0n.co' to serve phishing pages or malware to users who mistype popular website addresses." }, { cat: "Safe Browsing", q: "Why should you regularly review and remove browser extensions you no longer use?", opts: [ "Unused extensions slow down page rendering noticeably", "Malicious or compromised extensions can steal passwords, capture browsing history, and inject unwanted content", "Browser makers require extension audits for warranty compliance", "Extensions increase battery drain on laptops" ], ans: 1, exp: "Extensions have broad access to your browser session. Malicious ones can log everything you type, including passwords, banking details, and personal messages." }, { cat: "Safe Browsing", q: "A pop-up on a video streaming site asks you to install a plugin to watch a film. What should you do?", opts: [ "Install it if the content looks interesting enough to warrant it", "Decline and close the tab — modern browsers play video natively and legitimate sites do not require extra plugins", "Install it only if the site name appears familiar", "Install it on a personal device rather than a work device" ], ans: 1, exp: "Plugin installation prompts on video sites are a classic social engineering technique used to deliver malware. No legitimate streaming site requires you to install a codec or plugin." }, { cat: "Safe Browsing", q: "You want to make an online purchase using public Wi-Fi in a coffee shop. What is the main risk?", opts: [ "The checkout process will be slower on public networks", "An attacker on the same network could intercept unencrypted data or perform a man-in-the-middle attack", "The retailer's website will charge a higher price for users on public networks", "Your shopping basket may be cleared if the connection drops" ], ans: 1, exp: "On untrusted networks, traffic can be intercepted. For financial transactions, use your mobile data connection or a trusted VPN rather than public Wi-Fi." }, { cat: "Safe Browsing", q: "Why is downloading cracked or pirated software particularly risky from a security perspective?", opts: [ "Cracked software crashes more often than licensed versions", "Pirated downloads are a primary delivery method for ransomware, spyware, and trojans", "Software developers can take legal action if you use cracked software", "Cracked software disables automatic updates, causing performance issues" ], ans: 1, exp: "Cracked software installers routinely contain hidden malware. The threat actor relies on the victim disabling antivirus to 'get the crack to work', removing the last line of defence." }, { cat: "Safe Browsing", q: "What does a certificate transparency log help protect against?", opts: [ "Weak Wi-Fi signals in public spaces", "Fraudulently issued TLS certificates for domains, making certificate misissuance detectable", "Brute-force attacks against encrypted HTTPS connections", "Malicious browser extensions that intercept HTTPS traffic" ], ans: 1, exp: "Certificate transparency logs are public records of all issued TLS certificates. They allow site owners and researchers to detect unauthorised certificates issued for their domains." }, { cat: "Safe Browsing", q: "What is the purpose of a browser's 'private' or 'incognito' mode?", opts: [ "It makes you anonymous to websites and your internet service provider", "It prevents the browser from saving your browsing history, cookies, and form data locally on the device", "It encrypts all web traffic end-to-end", "It blocks all tracking by advertisers and third-party websites" ], ans: 1, exp: "Incognito mode only prevents local storage of history and cookies. Your ISP, employer network, and the websites you visit can still see your traffic." }, { cat: "Safe Browsing", q: "What is 'clickjacking'?", opts: [ "Hijacking a popular social media account to post malicious links", "Tricking a user into clicking a hidden malicious element overlaid on a legitimate visible button", "Stealing clicks from advertising networks using automated bots", "A technique to hijack browser sessions by stealing cookies" ], ans: 1, exp: "Clickjacking places a transparent malicious element over a legitimate button. The user thinks they are clicking 'Play' on a video but are actually granting permissions or initiating a transaction." }, { cat: "Safe Browsing", q: "What is a Content Delivery Network (CDN) and why can it be relevant to security?", opts: [ "A CDN is a type of firewall that blocks malicious web requests", "A CDN distributes website content globally for performance, but compromised CDN scripts can affect all sites using them — a supply chain risk", "A CDN is a tool used exclusively by hackers to host phishing pages anonymously", "A CDN is a browser extension that speeds up page loading" ], ans: 1, exp: "CDNs serve shared JavaScript libraries to thousands of sites. If a CDN-hosted script is compromised, every site loading it is affected — a major supply chain attack vector (e.g. Magecart attacks)." }, { cat: "Safe Browsing", q: "What does 'HTTPS everywhere' mean in the context of secure browsing?", opts: [ "A rule that all websites must pay for HTTPS certificates", "A browser policy or extension that forces HTTPS connections wherever available, preventing downgrade to unencrypted HTTP", "A government regulation requiring all websites to use encryption", "A setting that displays the padlock icon on all sites regardless of encryption status" ], ans: 1, exp: "HTTPS Everywhere (now largely built into modern browsers as HTTPS-first mode) automatically upgrades connections to HTTPS, preventing passive eavesdropping on unencrypted pages." }, { cat: "Safe Browsing", q: "What is a 'man-in-the-browser' (MitB) attack?", opts: [ "An attacker physically positioned between two users in a shared office", "Malware installed in the browser that intercepts and modifies transactions in real time before the user sees them", "A technique that breaks HTTPS encryption by positioning a proxy server", "A social engineering call conducted during a live video meeting" ], ans: 1, exp: "MitB malware sits inside the browser process, modifying page content and intercepting form submissions. It can change bank transfer recipients after the user enters them, making HTTPS irrelevant." }, { cat: "Safe Browsing", q: "You search for a well-known software product and the top search result is a sponsored ad. What should you be cautious of?", opts: [ "Nothing — sponsored results are always verified by search engines", "Malvertising — attackers pay for ads that mimic legitimate software sites but deliver malware instead", "The software being more expensive than from the official site", "Slower download speeds compared to the official website" ], ans: 1, exp: "Malvertising through search ads is a growing attack vector. In 2023, attackers used Google Ads to distribute malware disguised as Notepad++, Bitwarden, and other popular tools." }, /* ════════════════════════════════════════ DEVICE SECURITY (15 questions) ════════════════════════════════════════ */ { cat: "Device Security", q: "Your operating system prompts you to install a security update. What is best practice?", opts: [ "Wait until the weekend to avoid disrupting your work", "Install it as soon as possible — security updates fix vulnerabilities that attackers actively exploit", "Decline if it requires a system restart", "Only install major version updates, not minor patches" ], ans: 1, exp: "Security patches fix known vulnerabilities that attackers exploit within hours of discovery. Delaying creates a window of exposure. Enable automatic updates wherever possible." }, { cat: "Device Security", q: "What does device encryption protect against?", opts: [ "Malware downloading from the internet while browsing", "Unauthorised access to stored data if the device is lost, stolen, or physically accessed without credentials", "Weak wireless signals reducing connection speed", "Remote attackers accessing your online accounts" ], ans: 1, exp: "Full-disk encryption makes stored data unreadable without the correct credentials. A stolen encrypted device that is powered off reveals nothing, even if the drive is removed." }, { cat: "Device Security", q: "You find a USB drive in the car park at work with a label saying 'Salary Review 2025'. What should you do?", opts: [ "Plug it in to identify the owner and return it", "Hand it to your IT or security team without plugging it in anywhere", "Plug it into a personal home computer rather than a work device", "Put it in lost property and leave it for someone else to deal with" ], ans: 1, exp: "USB baiting is a well-documented social engineering technique. Malicious drives can execute code automatically the moment they are plugged in, without any further user interaction." }, { cat: "Device Security", q: "What is the 3-2-1 backup rule?", opts: [ "Back up 3 files, on 2 days per week, to 1 location", "Maintain 3 copies of data, stored on 2 different media types, with 1 copy held offsite", "Minimum 3 GB backup size, taken 2 times daily, retained for 1 month", "Back up 3 times per day on 2 drives kept in 1 secure location" ], ans: 1, exp: "The 3-2-1 rule ensures resilience against hardware failure, ransomware, and physical disasters: 3 total copies, 2 different storage media, 1 offsite or offline location." }, { cat: "Device Security", q: "Why is it potentially dangerous to charge your phone at a public USB charging port in an airport or shopping centre?", opts: [ "Public ports supply inconsistent voltage that can permanently damage batteries", "Juice jacking — attackers can embed hardware in public USB ports to install malware or silently extract data while charging", "Public charging speeds are intentionally throttled by venue owners", "Using a public USB port voids your device warranty" ], ans: 1, exp: "Juice jacking exploits the fact that USB connections carry both power and data. Use a wall adaptor with your own cable, or a USB data blocker ('USB condom') if you must use public ports." }, { cat: "Device Security", q: "What does 'least privilege' mean in the context of device and account security?", opts: [ "Giving users the lowest possible screen brightness setting to save power", "Granting accounts and applications only the permissions they genuinely require, and no more", "Installing the minimum number of applications on a device", "Purchasing the least expensive device that meets minimum specifications" ], ans: 1, exp: "Least privilege limits blast radius. A compromised account or app with minimal permissions causes far less damage than one with administrator or root-level access." }, { cat: "Device Security", q: "A laptop is reported stolen. What is the most important immediate action IT should take?", opts: [ "Wait for the owner to report which specific files were stored on it", "Remotely wipe the device using mobile device management (MDM) software before the attacker can extract data", "Issue the employee a replacement laptop and take no further action", "Check whether the laptop had a screen lock enabled before deciding how to respond" ], ans: 1, exp: "Remote wipe via MDM is the critical first response to prevent data extraction. This should happen immediately — once a device is online, the attacker may download data rapidly." }, { cat: "Device Security", q: "What is a key difference between antivirus software and Endpoint Detection and Response (EDR)?", opts: [ "Antivirus is more expensive and suitable only for large enterprises", "Antivirus primarily matches known malware signatures, while EDR monitors behaviour in real time and can detect novel or fileless attacks", "EDR only protects servers, while antivirus protects laptops", "Antivirus requires an internet connection; EDR works entirely offline" ], ans: 1, exp: "Traditional antivirus relies on signature matching and misses new or obfuscated malware. EDR uses behavioural analysis and telemetry to detect attacks that have no known signature." }, { cat: "Device Security", q: "What is 'jailbreaking' or 'rooting' a mobile device, and why is it a security risk?", opts: [ "A method of improving battery life by removing manufacturer restrictions on charging speed", "Removing manufacturer and operating system restrictions to gain root access, which disables key security controls and allows unvetted apps", "A factory reset process used to prepare a device for resale", "Installing an official software update from a source other than the manufacturer" ], ans: 1, exp: "Jailbreaking/rooting removes security sandboxing, disables app vetting, bypasses enterprise MDM policies, and often voids warranties and support agreements." }, { cat: "Device Security", q: "What is a Trusted Platform Module (TPM) chip used for?", opts: [ "Speeding up graphics processing on gaming laptops", "Providing hardware-based cryptographic functions, storing encryption keys securely, and enabling features like BitLocker full-disk encryption", "Connecting devices to trusted Wi-Fi networks automatically", "Running antivirus scans at the hardware level, below the operating system" ], ans: 1, exp: "TPM chips store cryptographic keys in tamper-resistant hardware. BitLocker on Windows requires a TPM to bind disk encryption keys to the specific device, preventing offline attacks." }, { cat: "Device Security", q: "Your organisation uses Mobile Device Management (MDM). What can MDM do if a device is reported lost or stolen?", opts: [ "Alert the nearest police station automatically", "Remotely lock, locate, and wipe the device, and enforce security policies such as encryption and screen locks", "Disable the device permanently so the owner must buy a new one", "Redirect all calls and messages to a backup device" ], ans: 1, exp: "MDM gives organisations centralised control over enrolled devices — enforcing security policies, distributing apps, and responding to loss or compromise with remote lock or wipe." }, { cat: "Device Security", q: "What is 'firmware' and why is keeping it updated important?", opts: [ "Firmware is the user interface layer on top of the operating system", "Firmware is low-level software embedded in hardware devices; vulnerabilities in it can persist below the OS level and survive factory resets", "Firmware is a type of firewall software that protects network adapters", "Firmware is a backup copy of the operating system stored on a separate partition" ], ans: 1, exp: "Firmware runs at a lower level than the OS. Attackers who exploit firmware vulnerabilities can establish persistent footholds that survive OS reinstallation and are extremely difficult to detect." }, { cat: "Device Security", q: "Why should you disable Bluetooth and NFC when not actively using them?", opts: [ "They drain battery even when in standby mode, reducing device lifespan", "Active wireless interfaces can be exploited by attackers in physical proximity through attacks like BlueSnarfing or relay attacks", "Wi-Fi performance improves when Bluetooth is turned off due to shared radio frequencies", "Operating system updates cannot install while Bluetooth is enabled" ], ans: 1, exp: "Attacks like BlueSnarfing can extract data from Bluetooth devices without pairing. NFC relay attacks can clone contactless payment cards. Disabling unused interfaces reduces your attack surface." }, { cat: "Device Security", q: "A user repeatedly clicks 'Remind me tomorrow' on OS update prompts for six months. What is the key risk?", opts: [ "The operating system will eventually stop working and require a full reinstall", "Known vulnerabilities that have been publicly disclosed and actively exploited remain unpatched on that device for six months", "The user will miss cosmetic interface changes introduced in the updates", "Background processes will use more CPU while updates are pending" ], ans: 1, exp: "Once a patch is released, the underlying vulnerability becomes public knowledge. Attackers race to exploit unpatched systems. Every day without a patch is an opportunity for a known attack." }, { cat: "Device Security", q: "What is the purpose of a hardware security key (e.g. YubiKey) compared to a software authenticator app?", opts: [ "Hardware keys are cheaper and more widely supported than software authenticators", "A hardware key stores credentials in a dedicated tamper-resistant chip and is phishing-resistant, as it verifies the domain before responding", "Software authenticators generate codes faster than hardware keys", "Hardware keys work without needing to be enrolled on each account individually" ], ans: 1, exp: "Hardware keys use asymmetric cryptography and are bound to the exact domain. A fake login site will fail the domain check and the key will not authenticate, making them impervious to phishing." }, /* ════════════════════════════════════════ SOCIAL & PRIVACY (15 questions) ════════════════════════════════════════ */ { cat: "Social & Privacy", q: "You share a photo on Instagram of your new car with your house number clearly visible. Why could this be a security risk?", opts: [ "Insurance companies could use the photo to increase your premiums", "Attackers can combine your home address with other public details to build a profile useful for targeted fraud, physical theft, or impersonation", "The photo file size is too large and will reduce your account storage", "This is not a security risk — sharing photos of possessions is normal" ], ans: 1, exp: "OSINT (open source intelligence) gathering combines public posts to build detailed profiles. Home addresses, asset values, travel patterns, and relationships all have value to criminals." }, { cat: "Social & Privacy", q: "A social media quiz asks for your pet's name, mother's maiden name, and your first school. Why should you be cautious?", opts: [ "Social media quizzes are a waste of time that reduce productivity", "These are common security question answers that attackers harvest to reset your passwords or impersonate you", "Social media companies will resell your quiz answers to advertisers", "Quizzes are only a risk if shared publicly; sharing with friends is always safe" ], ans: 1, exp: "Quizzes that ask for pet names, schools, or family details are harvesting standard security question answers. This data is then used for account takeover or personalised phishing." }, { cat: "Social & Privacy", q: "You post about your holiday while still abroad, sharing your hotel name and daily plans. What is the key risk?", opts: [ "Airlines monitor social media and may cancel your return flight", "Your posts signal to anyone who can view them that your home is currently unoccupied", "Posting while roaming uses excessive data and will incur high charges", "Travel posts reduce your follower count due to irrelevant content" ], ans: 1, exp: "Live holiday posts are a well-known burglary enabler. Criminals search social media for real-time evidence of empty homes. Post holiday photos after returning." }, { cat: "Social & Privacy", q: "What is OSINT and why is it relevant to personal cyber security?", opts: [ "OSINT is a type of antivirus software designed for small businesses", "OSINT stands for Open Source Intelligence — the practice of gathering information from publicly available sources, which attackers use to build profiles and craft targeted attacks", "OSINT is a government surveillance programme that monitors social media", "OSINT is a browser extension that blocks third-party advertising trackers" ], ans: 1, exp: "Attackers use OSINT to gather names, employers, relationships, routines, and interests from social media, company websites, and public records — building profiles for spear phishing and fraud." }, { cat: "Social & Privacy", q: "A stranger sends you a friend request on Facebook, claiming to be a mutual acquaintance you met at a conference. What should you do?", opts: [ "Accept — having a mutual connection confirms their identity", "Verify the person's identity through another channel before accepting, as profile cloning is a common social engineering technique", "Accept if their profile photo looks genuine and their profile has been active for years", "Check how many friends they have; more friends means a lower risk" ], ans: 1, exp: "Attackers clone real profiles (copying photos and friend lists) to gain access to your network. Verify through a phone call or message to the alleged mutual contact using a known number." }, { cat: "Social & Privacy", q: "Why should you review and minimise the number of third-party apps connected to your social media accounts?", opts: [ "Third-party apps slow down your social media feed loading speed", "Connected apps may retain broad permissions to your account and personal data long after you stop using them, and a compromised app affects your account security", "Social media platforms charge fees for accounts with more than ten connected apps", "Third-party apps prevent you from receiving notifications from the main platform" ], ans: 1, exp: "Apps connected to your social media may retain read and write access indefinitely. A breached or malicious app can harvest your data, post on your behalf, or expose your contact list." }, { cat: "Social & Privacy", q: "What is 'doxing'?", opts: [ "A technique for securely deleting personal files beyond recovery", "Publicly publishing private personal information about an individual without consent, typically to harass or harm them", "A method of encrypted document sharing between trusted parties", "A practice of backing up documents to multiple cloud providers simultaneously" ], ans: 1, exp: "Doxing involves researching and exposing someone's private information — address, phone, employer, family details — publicly online, often to facilitate harassment, threats, or physical harm." }, { cat: "Social & Privacy", q: "You receive a direct message on Instagram from a celebrity account saying you have won a prize and must provide your bank details to claim it. This is most likely:", opts: [ "A legitimate prize — celebrities regularly run surprise giveaways for random followers", "A scam — prize and giveaway fraud using fake celebrity accounts is extremely common on social media", "Legitimate if the account has a verified blue tick", "Real if you entered a competition recently on any platform" ], ans: 1, exp: "Giveaway scams are rampant on social media. Verified accounts can be hacked, and tick verification has become less reliable. Legitimate prizes never require bank details upfront." }, { cat: "Social & Privacy", q: "What is the purpose of reviewing your social media profile from a 'stranger's perspective'?", opts: [ "To improve your profile aesthetic for more followers", "To identify what personal information is publicly visible to people outside your network, and reduce your OSINT attack surface", "To check for duplicate accounts using your name", "To assess your social media engagement rate for business purposes" ], ans: 1, exp: "Viewing your own profile as a stranger or non-friend reveals exactly what attackers can see and use to craft targeted phishing, impersonation attempts, or physical security threats." }, { cat: "Social & Privacy", q: "Why is using 'Sign in with Google' or 'Sign in with Facebook' convenient but potentially risky?", opts: [ "These sign-ins load more slowly than using a dedicated username and password", "Compromising your Google or Facebook account gives attackers access to every service you signed into using it, creating a single point of failure", "Third-party sign-in features only work on desktop browsers, not mobile devices", "Google and Facebook charge websites for providing this sign-in feature, increasing costs" ], ans: 1, exp: "Social login creates a hub-and-spoke dependency. Your Google or Facebook account becomes the master key to dozens of other services. Protect those accounts with the strongest possible security." }, { cat: "Social & Privacy", q: "What does 'data minimisation' mean in the context of privacy?", opts: [ "Compressing files to reduce the amount of storage space they occupy", "Collecting and retaining only the personal data that is strictly necessary for a specific, stated purpose", "Deleting old emails and files to free up cloud storage space", "Reducing the number of data analytics tools used by an organisation" ], ans: 1, exp: "Data minimisation is a core GDPR principle: collect only what you need, for only as long as you need it. Less data stored means less exposure in a breach." }, { cat: "Social & Privacy", q: "A recruiter contacts you on LinkedIn and asks for your full date of birth and national insurance number to process a job application. What should you do?", opts: [ "Provide it — recruiters routinely need this information early in the process", "Refuse and verify the recruiter's legitimacy through the company's official HR contact before sharing any sensitive personal information", "Provide your date of birth but not your national insurance number at this stage", "Send the information via LinkedIn's encrypted messaging to keep it safe" ], ans: 1, exp: "Recruitment scams harvest personal data for identity theft. Legitimate employers request sensitive information through official, verified channels at the appropriate stage — not via unsolicited LinkedIn messages." }, { cat: "Social & Privacy", q: "What is a 'privacy policy' and what should you look for when reading one?", opts: [ "A password policy that dictates how your account password must be structured", "A legal document explaining what data a service collects, how it is used, who it is shared with, and how long it is retained", "A browser setting that prevents websites from storing any cookies", "A government certificate confirming a website meets national privacy standards" ], ans: 1, exp: "Privacy policies are legally binding statements of data practices. Key things to check: what data is collected, whether it is sold to third parties, retention periods, and how to request deletion." }, { cat: "Social & Privacy", q: "Why should you be cautious about posting photos that show the exterior of your home on social media?", opts: [ "Home photos are low quality compared to professional photography", "They can reveal your address, the layout of your property, security features (or lack of them), and confirm when you are and are not at home", "Social media platforms automatically tag home photos with GPS data against your wishes", "Home interior photos are more engaging and will perform better algorithmically" ], ans: 1, exp: "Exterior home photos combined with geo-tags, holiday posts, and daily routine patterns provide criminals with everything needed to plan a burglary or physical targeted attack." }, { cat: "Social & Privacy", q: "What is 'shoulder surfing'?", opts: [ "An advanced network attack conducted using a surfboard-shaped antenna", "Observing someone's screen, keyboard, or PIN pad in a public place to steal information or credentials", "A competitive sport involving balance boards and Wi-Fi network scanning", "Stealing a device by reaching over someone's shoulder in a crowded space" ], ans: 1, exp: "Shoulder surfing is a low-tech but effective physical attack. Criminals observe PINs at ATMs, passwords on laptops in coffee shops, or confidential data on train journeys." }, /* ════════════════════════════════════════ INCIDENT RESPONSE (10 questions) ════════════════════════════════════════ */ { cat: "Incident Response", q: "You accidentally click a suspicious link in a work email. What is the single most important first step?", opts: [ "Clear your browser history and cookies immediately", "Report it to your IT or security team as soon as possible, even if nothing appears to have happened", "Change all your passwords before telling anyone", "Wait 48 hours to see if anything suspicious occurs before escalating" ], ans: 1, exp: "Early reporting allows security teams to investigate, contain damage, and prevent lateral spread. Delays dramatically increase the cost and scope of an incident. There is no penalty for reporting a false alarm." }, { cat: "Incident Response", q: "Your PC starts running very slowly, displays unexpected pop-ups, and the hard drive light is constantly active for no apparent reason. What should you do?", opts: [ "The computer probably needs a hardware upgrade — order more RAM", "Disconnect the computer from the network immediately and report it to IT as a potential malware infection", "Windows is likely installing updates — wait for it to finish", "Run Disk Cleanup to resolve the performance issue" ], ans: 1, exp: "These symptoms are consistent with malware activity. Disconnecting from the network prevents data exfiltration and stops the malware from spreading to other systems or encrypting shared drives." }, { cat: "Incident Response", q: "After a ransomware attack encrypts your files, the attackers demand a large payment. Should you pay?", opts: [ "Yes — paying is always the fastest way to recover your files", "No — payment does not guarantee decryption, funds criminal organisations, and often marks you as a repeat target", "Only pay if the ransom is under a set threshold and you have no other options", "Pay immediately to prevent the attacker from leaking data" ], ans: 1, exp: "Law enforcement agencies universally advise against paying ransoms. Restore from tested offline backups, report to authorities, and engage specialist incident response support." }, { cat: "Incident Response", q: "You receive several 'forgot password' reset emails for your primary email account that you did not request. What should you do?", opts: [ "Delete the emails and ignore them — they are probably spam", "Immediately log into your account through the official website, enable MFA, review active sessions, and check recovery contact details", "Wait 24 hours to see if you receive any more before acting", "Forward the emails to your email provider's abuse address and take no further action" ], ans: 1, exp: "Unsolicited password reset emails indicate an active account takeover attempt. Act immediately to secure your account before the attacker uses social engineering to bypass recovery options." }, { cat: "Incident Response", q: "What information should you include when reporting a security incident to your IT team?", opts: [ "Only the name of the system or device that appears to be affected", "What happened, when it happened, which systems or data were involved, and any supporting evidence such as screenshots, email headers, or message logs", "Your password, so IT can investigate the account directly", "Nothing specific — only report if you are entirely certain it is a real incident" ], ans: 1, exp: "Detailed, accurate incident reports enable faster triage, containment, and forensic investigation. Never hesitate to report if unsure — security teams expect and welcome uncertain reports." }, { cat: "Incident Response", q: "What is the purpose of an incident response plan?", opts: [ "To prevent all cyber incidents from occurring by defining preventive controls", "To provide a pre-agreed, practised set of steps for detecting, containing, eradicating, and recovering from security incidents efficiently", "To assign blame and determine disciplinary action after a security breach", "To document every piece of software installed on organisational systems" ], ans: 1, exp: "An incident response plan defines roles, communication chains, and procedures before an incident occurs. Organisations with tested IR plans recover faster and suffer significantly lower breach costs." }, { cat: "Incident Response", q: "During a ransomware incident, a colleague suggests disconnecting from the internet but leaving the internal network connection active. Is this the right approach?", opts: [ "Yes — ransomware only spreads via the internet, so cutting external access is sufficient", "No — ransomware spreads laterally across internal networks. The infected device should be isolated from all networks immediately", "Yes — the internal network is encrypted and therefore safe from ransomware spread", "No — the device should be left connected to enable remote forensic investigation" ], ans: 1, exp: "Modern ransomware actively scans and moves laterally across internal networks, encrypting shared drives and other devices. Total network isolation of compromised devices is essential." }, { cat: "Incident Response", q: "What is 'digital forensics' in the context of incident response?", opts: [ "Designing digital marketing campaigns to rebuild brand reputation after a breach", "The disciplined process of collecting, preserving, and analysing electronic evidence to understand what happened, how, and what data was affected", "Installing forensic antivirus tools on all devices after a breach as a preventive measure", "Converting physical paper evidence into digital format for storage" ], ans: 1, exp: "Digital forensics preserves the chain of evidence needed for legal proceedings, regulatory reporting, and understanding attacker behaviour to prevent recurrence. Evidence must be handled carefully to remain admissible." }, { cat: "Incident Response", q: "A user admits they have been sharing their password with a colleague for months. An incident has just occurred on their shared account. What must happen?", opts: [ "Change the password and continue using the shared account as normal", "Immediately revoke the shared credentials, investigate all activity on the account, assign individual accounts to each person, and address the policy violation", "Interview both users but take no technical action until the investigation concludes", "Disable the account permanently and open a disciplinary process against both users" ], ans: 1, exp: "Shared credentials destroy accountability and must be remediated immediately. All activity on the account during the sharing period becomes forensically ambiguous, complicating the investigation." }, { cat: "Incident Response", q: "What is a 'tabletop exercise' in cyber security?", opts: [ "A physical security assessment of server room access controls", "A discussion-based simulation where teams walk through a hypothetical incident scenario to test and improve their response plans without triggering real systems", "A penetration test conducted on a dedicated test network isolated from production systems", "A workshop for installing security software on new employee laptops" ], ans: 1, exp: "Tabletop exercises identify gaps in plans, test decision-making, clarify roles, and build muscle memory — all without the risk and cost of a live drill. They are a critical component of incident preparedness." }, /* ════════════════════════════════════════ THREATS & CONCEPTS (10 questions) ════════════════════════════════════════ */ { cat: "Threats & Concepts", q: "What is a 'zero-day vulnerability'?", opts: [ "A vulnerability that was discovered and patched on the same day it was reported", "A previously unknown vulnerability with no available patch, meaning vendors have had zero days to fix it", "A flaw in software that has existed for zero months before being exploited", "A vulnerability specifically affecting systems that have been online for less than one day" ], ans: 1, exp: "Zero-days are particularly dangerous because no patch exists at the time of exploitation. Attackers, especially nation-state actors, pay enormous sums for reliable zero-day exploits." }, { cat: "Threats & Concepts", q: "What is a DDoS (Distributed Denial of Service) attack?", opts: [ "An attack that steals data from a database using malicious SQL code", "Flooding a target server or network with traffic from many sources simultaneously to make it unavailable to legitimate users", "Installing malware on distributed endpoints across a corporate network", "Sending denial emails to users to prevent them accessing their email accounts" ], ans: 1, exp: "DDoS attacks overwhelm infrastructure capacity using coordinated traffic from thousands or millions of compromised devices (a botnet). Motivations range from extortion to hacktivism to competitive sabotage." }, { cat: "Threats & Concepts", q: "What is a botnet?", opts: [ "A network of AI-powered customer service chatbots used by e-commerce companies", "A network of internet-connected devices infected with malware and remotely controlled by an attacker to carry out coordinated attacks", "A legitimate distributed computing network used for scientific research", "A corporate network segment that is only accessible to automated build and test systems" ], ans: 1, exp: "Botnets are used to send spam, conduct DDoS attacks, distribute malware, and mine cryptocurrency — all using the processing power and internet connections of unknowing victims." }, { cat: "Threats & Concepts", q: "What is a 'supply chain attack' in the context of cyber security?", opts: [ "An attack on logistics companies managing physical supply chains for manufactured goods", "Compromising a trusted software vendor, update mechanism, or third-party dependency to distribute malware to all of that vendor's customers", "Intercepting physical hardware shipments to install malicious components", "An attack that targets procurement staff via phishing to access purchase order systems" ], ans: 1, exp: "The SolarWinds attack (2020) is the defining supply chain attack: attackers inserted malware into a legitimate software update, which was then installed by 18,000 organisations including US government agencies." }, { cat: "Threats & Concepts", q: "What is the CIA triad in information security?", opts: [ "Confidentiality, Identity, and Availability — the three pillars of identity management", "Confidentiality, Integrity, and Availability — the three fundamental properties that secure information systems must protect", "Cyber Intelligence Analysis — a US government framework for threat attribution", "Compliance, Investigation, and Audit — the three stages of a security assessment" ], ans: 1, exp: "The CIA triad underpins all of information security: Confidentiality (data seen only by authorised parties), Integrity (data not altered without authorisation), Availability (systems accessible when needed)." }, { cat: "Threats & Concepts", q: "What is a penetration test?", opts: [ "Automated antivirus scanning of all endpoint devices on a network", "An authorised simulated attack conducted by security professionals to identify and exploit vulnerabilities before real attackers can", "A government audit process assessing compliance with national cybersecurity standards", "A test that measures how quickly employees complete mandatory security awareness training" ], ans: 1, exp: "Penetration testing ('pen testing') involves ethical hackers attempting to breach systems with permission. It reveals real-world attack paths and validates whether security controls actually work." }, { cat: "Threats & Concepts", q: "What does 'defence in depth' mean?", opts: [ "Building the deepest possible firewall rules to block all inbound traffic", "Implementing multiple overlapping security controls so that if one layer fails, others continue to provide protection", "Focusing all security investment on the most critical systems and ignoring lower-value assets", "Deeply burying physical server hardware underground to protect against physical theft" ], ans: 1, exp: "Defence in depth recognises that no single control is perfect. Layering perimeter, network, endpoint, identity, and data controls ensures attackers must defeat multiple independent barriers." }, { cat: "Threats & Concepts", q: "What is 'threat intelligence'?", opts: [ "Software that automatically blocks all incoming cyber threats in real time", "Gathered, analysed information about existing and emerging threats, threat actors, their tactics, techniques, and procedures, used to inform defensive decisions", "A legal intelligence briefing provided to organisations following a data breach notification", "AI software that predicts which employees are most likely to become insider threats" ], ans: 1, exp: "Threat intelligence turns raw data about attacks into actionable knowledge. Organisations use it to prioritise patching, configure detection rules, and understand the specific threats relevant to their sector." }, { cat: "Threats & Concepts", q: "What is an 'Advanced Persistent Threat' (APT)?", opts: [ "A particularly sophisticated strain of ransomware that cannot be decrypted", "A prolonged, stealthy cyber attack campaign typically conducted by well-resourced nation-state or criminal groups, aiming to maintain persistent access and achieve strategic objectives", "An automated scanning tool used by penetration testers to find network vulnerabilities quickly", "A type of DDoS attack that lasts for an extended period of weeks or months" ], ans: 1, exp: "APT groups (like APT28, Lazarus Group) are sophisticated, well-funded actors who infiltrate networks and remain undetected for months or years, conducting espionage, sabotage, or financial theft." }, { cat: "Threats & Concepts", q: "What is 'security through obscurity' and why is it considered weak?", opts: [ "Encrypting security policy documents so they are only accessible to senior staff", "Relying on keeping the design or implementation of a system secret as its primary security mechanism, rather than building inherent cryptographic or access control strength", "Installing security cameras in hidden locations that attackers cannot detect", "A proven security methodology endorsed by NIST for protecting critical infrastructure" ], ans: 1, exp: "Security through obscurity assumes attackers will not discover how a system works. Once the secret is revealed — through reverse engineering, leaks, or insider knowledge — all protection vanishes. Robust security must withstand scrutiny even when fully known." } ]; // END ALL_QUESTIONS /* ═══════════════════════════════════════════════════════ HOW TO USE ═══════════════════════════════════════════════════════ OPTION A — Drop into existing quiz.js ────────────────────────────────────── Replace the existing ALL_QUESTIONS array in your quiz.js file with this one. The quiz engine will automatically pick up all 100 questions and the new category filter tabs. OPTION B — Standalone HTML page (no WordPress) ─────────────────────────────────────────────── 1. Create a new HTML file 2. Add a

3. Include this file as a