An employee's password appears in a public data breach dump. What does your organisation do first?

Breached credentials are sold and reused within hours. Speed of response directly limits damage.

• A Nothing — we wouldn't know about it.
• B Automated alert triggers an immediate reset, session revocation, and incident review.
• C Force a password reset for that user and check for suspicious logins.
• D Wait for IT to notice and reset the password manually.

A new hire starts on Monday. How does your team set up their system access?

Onboarding is where least-privilege either starts strong or fails from day one.

• A Their manager shares login details or forwards their own credentials.
• B A role-based template gives access to only what the job requires.
• C Automated provisioning assigns role-based access with MFA enforced from day one.
• D IT creates an account with broad access — they'll trim it later.

Your monitoring tool flags unusual outbound traffic from an internal server at 2 AM. What happens next?

Unexpected outbound traffic can indicate data exfiltration or a compromised system calling home.

• A An on-call engineer investigates and can isolate the server if needed.
• B We don't have monitoring — we'd never see it.
• C The alert sits in a dashboard until someone checks it in the morning.
• D Automated containment isolates the server while the SOC investigates in real time.

A customer emails asking for a copy of all personal data you hold on them. How does your team respond?

Data subject access requests are a legal right under GDPR and similar regulations. A clear process avoids fines.

• A We're not sure where their data is or who should handle this.
• B Someone in the team manually searches a few systems and sends what they find.
• C A documented process guides the team through data retrieval and redaction.
• D An automated workflow gathers data across all systems, logs the request, and responds within the legal deadline.

It's 3 AM and your security tool sends a critical alert: possible ransomware activity detected. What happens?

The first 60 minutes of a ransomware incident determine whether you lose a server or the entire network.

• A An on-call responder is paged and follows a documented playbook.
• B 24/7 SOC triggers automated isolation, pages the IR team, and begins forensics.
• C An email is sent to the IT mailbox — someone might check it.
• D Nobody sees it until staff arrive in the morning.

An employee forwards a suspicious email to IT saying "I almost clicked this — it looked real." What happens next?

How you respond to good reporting behaviour determines whether employees keep reporting or stay silent.

• A IT analyses the email, blocks the sender, and thanks the reporter.
• B The phish is analysed, IOCs are blocked org-wide, and the reporter is recognised publicly as a security champion.
• C IT deletes it without feedback — the employee never hears back.
• D IT thanks them informally but takes no further action.

A new SaaS vendor needs direct access to your customer database to deliver their service. How do you proceed?

Third-party access to sensitive data is one of the fastest-growing attack surfaces.

• A Give them the credentials — we need the tool working ASAP.
• B Run a security questionnaire, scope access to only what's needed, and sign a DPA.
• C Full vendor risk assessment, least-privilege API access, contractual security obligations, and continuous monitoring.
• D Share read-only access and hope for the best.

A developer accidentally deploys a storage bucket with public read access containing internal documents. How is this caught?

Cloud misconfigurations are the leading cause of data breaches. Detection speed is everything.

• A A cloud security posture tool alerts the team within hours.
• B It isn't — we find out when someone external reports it (or worse).
• C A colleague spots it during a manual review weeks later.
• D Policy-as-code prevents public buckets at deploy time; any override triggers an instant alert and auto-remediation.

A visitor is found wandering unescorted near the server room. How does your team handle it?

Physical access bypasses most digital controls. Visitor management is a critical security layer.

• A Nobody would notice — visitors move freely once past reception.
• B Staff challenge unescorted visitors and guide them back to reception.
• C Badge-only zones prevent access; security is alerted automatically and visitors are always escorted.
• D Someone might ask if they need help, but there's no formal process.