1. A company's IT security policy requires that all new employees and contractors complete a security training module before their network credentials are activated and before they can access any organizational systems. What principle does this requirement implement?
2. An employee returns from lunch to find an official-looking envelope on their desk labeled "From IT Security Department — Confidential: Your Q3 Performance Review." Inside the envelope is a USB drive with a label reading "Q3 Salary Data — Do Not Share." The employee has no prior knowledge of this. What is the security-correct response?
3. A financial institution is concerned about insider threats after an employee transferred confidential customer account data to a personal USB drive. Management asks the security team what controls should be in place to mitigate insider threats. Which combination of controls best addresses insider threat risk?
4. A Windows administrator is tasked with enforcing a minimum 12-character password length and requiring at least one uppercase letter, one lowercase letter, one number, and one special character for all domain user accounts. Which technology allows the administrator to enforce these requirements automatically across all users without relying on user compliance?
5. A security awareness trainer explains to a group of new employees: "Attackers do not need technical skills to compromise our systems. They can often get what they need by calling our help desk, pretending to be an executive, and claiming to have forgotten their password. They create urgency: 'I need access immediately for an emergency board meeting.' Our help desk then bypasses our verification process to be helpful." What attack type is being described, and what is the training goal?
6. An employee who works from home is trained on security policies for remote work. The policy includes: corporate laptops may not be used by family members, all corporate resources must be accessed through the approved VPN, and the corporate device must not be connected to the home printer without IT approval. Which security principle governs these remote work restrictions?
Matching: User Training Concepts
Match each concept (1–4) to its correct description (A–D).
1Insider Threat
2OPSEC
3Situational Awareness
4Pre-Access Training
ASecurity risk posed by individuals with legitimate system access who act maliciously or carelessly; difficult to detect because their access is already authorized
BSecurity education required before users are granted any network or system access; ensures everyone who connects already understands their security responsibilities
CPractice of viewing information and behavior from an attacker's perspective to identify what is valuable and minimize unnecessary exposure of sensitive data
DContinuous alertness to potential threats in the environment, covering both digital threats (phishing, suspicious URLs) and physical threats (unknown USB devices, unlocked doors)