Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 5.6 (Given a scenario, implement security awareness practices) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. Your organization is launching its first phishing simulation. Leadership wants to avoid alienating staff but still gather meaningful behavioral data to guide training priorities. Which approach best aligns with effective awareness practices?
#2. A security analyst receives a help-desk ticket with a photo of a printed “benefits update” flyer posted in the break room. The flyer includes a QR code linking to a shortened URL and promises a gift card to the first 100 employees who “re-enroll today.” What should the analyst instruct employees to do?
#3. Your company enables an email “Report Phish” button. You discover an employee using it on an invoice email, and report the incident to your security team. What should be your next step?
#4. Your company recently adopted a hybrid work model. During a security awareness briefing, employees are reminded not to leave laptops unattended in coffee shops and to use privacy screens in public areas. Which awareness category does this guidance fall under?
#5. A user plugs a personal USB drive into a corporate workstation to transfer files. Security awareness training had previously warned against this behavior due to malware risks. What type of awareness issue does this represent?
#6. An organization wants to reinforce phishing awareness training. Employees are sent quarterly reminders with tips for identifying phishing attempts. Which type of awareness reinforcement is this?
#7. An analyst notices an employee repeatedly downloading large amounts of data at unusual times. This activity deviates from the employee’s normal work behavior. Which security awareness concept best applies here?
#8. A manager insists on sharing their login credentials with an assistant for convenience. Security awareness training requires employees to never share passwords. Which principle is being violated?
#9. During awareness training, users are told to watch for suspicious individuals following them through secure doors without swiping a badge. This type of training is meant to reduce what threat?
#10. An employee reports that they received a phone call from someone claiming to be IT support, asking for their VPN credentials. Security awareness training had previously covered how to respond to such attempts. Which best describes this training topic?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | A | Your organization is launching its first phishing simulation. Leadership wants to avoid alienating staff but still gather meaningful behavioral data to guide training priorities. Which approach best aligns with effective awareness practices? A. Start with a low-to-moderate difficulty template, track click and report rates, and follow with just-in-time training for those who interacted (Correct): This approach is effective because it balances the need for data with the need to avoid alienating staff. The use of a low-difficulty template is non-confrontational, and the just-in-time training provides a direct, educational benefit without public shaming. This approach gathers valuable data to guide future training and fosters a positive security culture. B. Use an extremely convincing spear-phish that mimics a real executive and publicly list employees who click (Incorrect): This approach is highly adversarial and is guaranteed to alienate staff and damage trust. Publicly shaming employees for clicking on a well-crafted phish is counterproductive and undermines the goal of building a positive security culture. C. Send a simulation to only the IT department, since they are most likely to be targeted (Incorrect): This approach fails to gather meaningful data from the entire organization and incorrectly assumes that other departments are not at risk. Effective security awareness should be a company-wide effort. D. Send a simulation that includes malicious attachments to test EDR as well as users (Incorrect): This approach is too risky, especially for a first simulation. It combines an awareness test with a technical EDR test, increasing the potential for an unintended negative impact on production systems. |
| 2 | C | A security analyst receives a help-desk ticket with a photo of a printed “benefits update” flyer posted in the break room. The flyer includes a QR code linking to a shortened URL and promises a gift card to the first 100 employees who “re-enroll today.” What should the analyst instruct employees to do? A. Scan the QR code using a personal phone to avoid corporate risk (Incorrect): This is poor advice. Scanning a malicious QR code can infect a personal device with malware or lead to credential theft, putting the user at personal risk. Additionally, if a personal device is used for work, it could still pose a risk to the corporate network. B. Type the shortened URL into a browser manually to verify it (Incorrect): A shortened URL hides the final destination. Manually typing it into a browser will still lead the user to a potentially malicious site without any prior warning or way to inspect the link. C. Report the flyer as suspicious and avoid scanning; verify enrollment updates through official HR channels (Correct): This is the best course of action. The flyer uses classic social engineering tactics (urgency, reward, and a shortened URL that conceals the true destination). The proper security response is to report the suspicious item to the security team and avoid interacting with it (e.g., scanning the QR code). All official communications, especially those related to benefits, should be verified through known, official company channels. D. Ignore the flyer; physical postings are not phishing (Incorrect): This is a false and dangerous assumption. Phishing is a social engineering attack that can be carried out through any medium, including physical flyers, mail, or text messages. |
| 3 | C | Your company enables an email “Report Phish” button. You discover an employee using it on an invoice email, and report the incident to your security team. What should be your next step? A. Forward the email to coworkers asking if it’s legitimate (Incorrect): This is a dangerous action that can inadvertently spread a malicious email to others in the organization, increasing the risk of a successful attack. B. Delete the message to clear the inbox (Incorrect): Deleting the message might remove critical forensic data and make it difficult for the security team to perform a proper analysis of the threat. The email should be left as is until instructed otherwise. C. Do not interact further with the email; wait for the security team’s determination and follow their instructions (Correct): The most appropriate immediate guidance is to stop all interaction with the potential threat. The user has already taken the correct first step by reporting it. The security team now has the necessary information to investigate, and the user’s role is to avoid clicking any links, opening any attachments, or replying to the sender to prevent further risk. D. Reply to the sender requesting verification (Incorrect): Replying to a phishing email confirms to the attacker that the user’s email address is active and that they are a potential victim, which can lead to more targeted attacks in the future. |
| 4 | B | Your company recently adopted a hybrid work model. During a security awareness briefing, employees are reminded not to leave laptops unattended in coffee shops and to use privacy screens in public areas. Which awareness category does this guidance fall under? A. Insider threat prevention (Incorrect): Insider threat prevention focuses on mitigating risks from malicious or negligent actors within an organization. The guidance is about threats from external parties in a public setting. B. Situational awareness (Correct): Situational awareness is the ability to recognize and understand a threat in your physical environment and take appropriate action. The guidance to protect laptops in public spaces and use privacy screens is a direct application of situational awareness, as it requires an employee to be mindful of their surroundings and the risks of theft or shoulder surfing. C. Password management (Incorrect): Password management is a technical control related to the creation and storage of passwords. While a privacy screen helps protect a password, the core guidance is about the physical protection of the device and data. D. Social engineering (Incorrect): Social engineering is a psychological manipulation tactic used to trick people into giving up information. The guidance is about protecting against physical threats like theft and direct observation. |
| 5 | C | A user plugs a personal USB drive into a corporate workstation to transfer files. Security awareness training had previously warned against this behavior due to malware risks. What type of awareness issue does this represent? A. Insider threat (Incorrect): An insider threat is typically a malicious act performed by an authorized person to compromise an organization. In this scenario, the user’s action appears to be a mistake or an act of negligence rather than an intentional malicious act. B. Social engineering (Incorrect): Social engineering is a psychological manipulation tactic used to trick a user into performing an action. The user in this scenario is acting on their own volition and convenience, not because they were manipulated by an attacker. C. Removable media misuse (Correct): The user’s action directly involves the improper use of removable media (a personal USB drive) against a known security policy. This is a classic example of removable media misuse, which is a common security awareness training topic due to the risks of malware, data exfiltration, or data spillage. D. Password policy violation (Incorrect): A password policy violation involves the improper handling of passwords, such as writing them down or sharing them. The user’s action has nothing to do with passwords. |
| 6 | D | An organization wants to reinforce phishing awareness training. Employees are sent quarterly reminders with tips for identifying phishing attempts. Which type of awareness reinforcement is this? A. Initial training (Incorrect): Initial training is the first time an employee is exposed to a topic, typically during onboarding. The scenario describes a follow-up activity. B. Anomalous behavior monitoring (Incorrect): This is a technical security control used to detect unusual user activity. It is not a method for reinforcing security awareness training for employees. C. Incident response (Incorrect): Incident response is the process of handling a security event after it has occurred. The reminders are a proactive measure, not a reactive one. D. Ongoing/recurring training (Correct): This is a form of ongoing/recurring training. The key to effective security awareness is to reinforce initial training over time, and sending quarterly reminders with tips is a common method for keeping employees’ knowledge fresh and relevant. |
| 7 | B | An analyst notices an employee repeatedly downloading large amounts of data at unusual times. This activity deviates from the employee’s normal work behavior. Which security awareness concept best applies here? A. Phishing recognition (Incorrect): Phishing recognition is the ability to identify fraudulent emails or messages designed to trick users into revealing information or downloading malware. The scenario described is not a phishing attack. B. Anomalous behavior recognition (Correct): The analyst is identifying activity that is outside of the employee’s normal pattern of behavior (anomalous behavior). This security awareness concept focuses on training employees and security personnel to spot unusual events that may indicate a security threat, such as an account compromise or insider threat, even if the activity itself isn’t explicitly malicious. C. Password hygiene (Incorrect): Password hygiene refers to best practices for creating and managing secure passwords. The activity described is related to data access, not password management. D. Policy review (Incorrect): A policy review is the process of periodically reviewing and updating an organization’s security policies. It is not an activity performed by an analyst to detect a threat. |
| 8 | C | A manager insists on sharing their login credentials with an assistant for convenience. Security awareness training requires employees to never share passwords. Which principle is being violated? A. Insider threat (Incorrect): While the manager’s action could enable an insider threat, the violation itself is a policy violation related to proper password handling, not a malicious act by a user. B. Operational security (Incorrect): Operational security (OPSEC) is about protecting sensitive information related to an organization’s operations. While sharing credentials is a poor OPSEC practice, there is a more specific principle being violated. C. Password management (Correct): The manager’s action is a direct violation of the password management principle, which dictates best practices for creating, storing, and handling credentials. A core tenet is that passwords should never be shared, as this compromises the security of the account and undermines accountability. D. Situational awareness (Incorrect): Situational awareness is being aware of one’s physical or digital environment to spot threats. The manager’s action is a deliberate policy violation, not a failure to recognize a threat. |
| 9 | C | During awareness training, users are told to watch for suspicious individuals following them through secure doors without swiping a badge. This type of training is meant to reduce what threat? A. Insider misuse (Incorrect): Insider misuse refers to a threat from an individual who already has authorized access to a system or location. Tailgating involves an external, unauthorized individual. B. Credential theft (Incorrect): Credential theft is the theft of digital login information (usernames, passwords, etc.). The scenario describes a physical security threat, not a digital one. C. Tailgating (Correct): The training described is designed to prevent tailgating, a form of social engineering. It is a physical attack where an unauthorized person gains access to a secure area by following an authorized person without using a badge. The attacker relies on the target’s politeness or distraction to gain entry. D. Password reuse (Incorrect): Password reuse is the practice of using the same password for multiple accounts. This is a digital security issue unrelated to physical access control. |
| 10 | C | An employee reports that they received a phone call from someone claiming to be IT support, asking for their VPN credentials. Security awareness training had previously covered how to respond to such attempts. Which best describes this training topic? A. Operational security (Incorrect): Operational security (OPSEC) is about protecting sensitive information related to an organization’s operations from being unintentionally disclosed. While the attack is an OPSEC failure, the training topic is more broadly described as social engineering. B. Phishing recognition (Incorrect): Phishing specifically refers to social engineering attacks carried out through email. The attack in the scenario uses the phone. C. Social engineering awareness (Correct): The scenario is a classic example of social engineering, where an attacker uses psychological manipulation to trick a person into giving up information or access. This specific type of attack, conducted over the phone, is also known as “vishing” (voice phishing). D. Password complexity (Incorrect): Password complexity refers to the rules for creating and managing strong passwords. The training topic is about the attack vector used to steal credentials, not the complexity of the passwords themselves. |