SANS Security Awareness Professional (SSAP)
1. Which of the following best describes human risk in the context of
cybersecurity?
o A. The risk of hardware failure due to human error
o B. The risk posed by human actions that can lead to cybersecurity incidents
o C. The risk of physical injury to employees in a cyber attack
o D. The risk of losing data due to natural disasters
Answer: B. The risk posed by human actions that can lead to cybersecurity
incidents
Explanation: Human risk in cybersecurity refers to the vulnerabilities and threats
introduced by human behavior that can lead to security breaches or incidents.
2. What is the primary goal of a Security Awareness Program?
o A. To ensure compliance with regulations
o B. To train employees on basic computer skills
o C. To change workforce behavior to manage human risks
o D. To monitor employee activities
Answer: C. To change workforce behavior to manage human risks
Explanation: The main objective of a Security Awareness Program is to educate and
change employee behavior to reduce human risks associated with cybersecurity.
3. The Security Awareness Maturity Model consists of how many stages?
o A. Three
o B. Four
o C. Five
o D. Six
Answer: C. Five
Explanation: The Security Awareness Maturity Model has five stages that
organizations can use to benchmark the maturity of their security awareness
programs.
4. Which of the following is NOT a stage in the Security Awareness Maturity
Model?
o A. Compliance-focused
o B. Promoting Awareness and Behavior Change
o C. Metrics Framework
o D. Continuous Improvement
1
, SANS Security Awareness Professional (SSAP)
Answer: D. Continuous Improvement
Explanation: The five stages of the Security Awareness Maturity Model include: No
Program, Compliance-focused, Promoting Awareness and Behavior Change, Long-
term Sustainment and Culture Change, and Metrics Framework.
5. In the context of risk management, which three variables define human risk?
o A. Threats, vulnerabilities, and consequences
o B. Likelihood, impact, and asset value
o C. Motivation, ability, and opportunity
o D. Behavior, environment, and technology
Answer: A. Threats, vulnerabilities, and consequences
Explanation: Human risk is defined by the variables of threats, vulnerabilities, and
consequences, which together determine the potential risk posed by human actions.
6. Why are humans considered a vulnerable element in cybersecurity?
o A. They are inherently untrustworthy
o B. They can be easily manipulated by cyber attackers
o C. They lack technical skills
o D. They are always careless
Answer: B. They can be easily manipulated by cyber attackers
Explanation: Humans are considered vulnerable because they can be tricked or
manipulated through various social engineering techniques by cyber attackers.
7. Which model is used to understand and influence human behavior change in
cybersecurity?
o A. Maslow's Hierarchy of Needs
o B. B.J. Fogg Behavior Model
o C. SWOT Analysis
o D. Kotter's Change Model
Answer: B. B.J. Fogg Behavior Model
Explanation: The B.J. Fogg Behavior Model is used to understand and influence
human behavior change by focusing on motivation, ability, and triggers.
2
, SANS Security Awareness Professional (SSAP)
8. What is the first step in gaining leadership support for a Security Awareness
Program?
o A. Conducting a security audit
o B. Developing a detailed budget
o C. Communicating the value and benefits of the program
o D. Hiring a security consultant
Answer: C. Communicating the value and benefits of the program
Explanation: The initial step in gaining leadership support is to effectively
communicate the value and benefits of the Security Awareness Program to the
leadership.
9. An effective Advisory Board in a Security Awareness Program should include
representatives from which groups?
o A. Only the IT department
o B. Various departments across the organization
o C. External cybersecurity consultants only
o D. The finance department
Answer: B. Various departments across the organization
Explanation: An effective Advisory Board should include representatives from
different departments to ensure a comprehensive and inclusive approach to security
awareness.
10. What is a key component of developing a strategic plan for managing human
risk?
o A. Implementing the latest technology
o B. Prioritizing behaviors that mitigate top human risks
o C. Conducting annual security audits
o D. Reducing the IT budget
Answer: B. Prioritizing behaviors that mitigate top human risks
Explanation: Developing a strategic plan involves prioritizing the behaviors that are
crucial for managing and mitigating the identified top human risks.
11. What is the purpose of conducting a human risk assessment in cybersecurity?
o A. To identify the strengths and weaknesses of employees
o B. To identify and prioritize top human risks within the organization
o C. To evaluate the effectiveness of current security tools
o D. To determine employee satisfaction with security policies
3
, SANS Security Awareness Professional (SSAP)
Answer: B. To identify and prioritize top human risks within the organization
Explanation: The purpose of a human risk assessment is to identify and prioritize the
top human risks that could potentially impact the organization's cybersecurity.
12. Which term describes the process of making informed decisions to allocate
resources to mitigate risk?
o A. Risk assessment
o B. Risk acceptance
o C. Risk management
o D. Risk transfer
Answer: C. Risk management
Explanation: Risk management involves making informed decisions to allocate
resources effectively to mitigate identified risks.
13. What are the critical foundations for a successful security awareness program?
o A. Technical controls, physical security, and incident response
o B. Leadership support, program charter, and advisory board
o C. Employee training, regular audits, and compliance monitoring
o D. Budget allocation, hiring security staff, and purchasing software
Answer: B. Leadership support, program charter, and advisory board
Explanation: The critical foundations for a successful security awareness program
include gaining leadership support, establishing a program charter, and creating an
advisory board.
14. What role does Cyber Threat Intelligence (CTI) play in a human risk
assessment?
o A. It provides financial data for budgeting
o B. It offers insights into current and emerging threats to prioritize risks
o C. It helps in recruiting new employees
o D. It monitors physical security measures
Answer: B. It offers insights into current and emerging threats to prioritize risks
Explanation: Cyber Threat Intelligence (CTI) helps in identifying and understanding
current and emerging threats, which is crucial for prioritizing human risks in a risk
assessment.
4
1. Which of the following best describes human risk in the context of
cybersecurity?
o A. The risk of hardware failure due to human error
o B. The risk posed by human actions that can lead to cybersecurity incidents
o C. The risk of physical injury to employees in a cyber attack
o D. The risk of losing data due to natural disasters
Answer: B. The risk posed by human actions that can lead to cybersecurity
incidents
Explanation: Human risk in cybersecurity refers to the vulnerabilities and threats
introduced by human behavior that can lead to security breaches or incidents.
2. What is the primary goal of a Security Awareness Program?
o A. To ensure compliance with regulations
o B. To train employees on basic computer skills
o C. To change workforce behavior to manage human risks
o D. To monitor employee activities
Answer: C. To change workforce behavior to manage human risks
Explanation: The main objective of a Security Awareness Program is to educate and
change employee behavior to reduce human risks associated with cybersecurity.
3. The Security Awareness Maturity Model consists of how many stages?
o A. Three
o B. Four
o C. Five
o D. Six
Answer: C. Five
Explanation: The Security Awareness Maturity Model has five stages that
organizations can use to benchmark the maturity of their security awareness
programs.
4. Which of the following is NOT a stage in the Security Awareness Maturity
Model?
o A. Compliance-focused
o B. Promoting Awareness and Behavior Change
o C. Metrics Framework
o D. Continuous Improvement
1
, SANS Security Awareness Professional (SSAP)
Answer: D. Continuous Improvement
Explanation: The five stages of the Security Awareness Maturity Model include: No
Program, Compliance-focused, Promoting Awareness and Behavior Change, Long-
term Sustainment and Culture Change, and Metrics Framework.
5. In the context of risk management, which three variables define human risk?
o A. Threats, vulnerabilities, and consequences
o B. Likelihood, impact, and asset value
o C. Motivation, ability, and opportunity
o D. Behavior, environment, and technology
Answer: A. Threats, vulnerabilities, and consequences
Explanation: Human risk is defined by the variables of threats, vulnerabilities, and
consequences, which together determine the potential risk posed by human actions.
6. Why are humans considered a vulnerable element in cybersecurity?
o A. They are inherently untrustworthy
o B. They can be easily manipulated by cyber attackers
o C. They lack technical skills
o D. They are always careless
Answer: B. They can be easily manipulated by cyber attackers
Explanation: Humans are considered vulnerable because they can be tricked or
manipulated through various social engineering techniques by cyber attackers.
7. Which model is used to understand and influence human behavior change in
cybersecurity?
o A. Maslow's Hierarchy of Needs
o B. B.J. Fogg Behavior Model
o C. SWOT Analysis
o D. Kotter's Change Model
Answer: B. B.J. Fogg Behavior Model
Explanation: The B.J. Fogg Behavior Model is used to understand and influence
human behavior change by focusing on motivation, ability, and triggers.
2
, SANS Security Awareness Professional (SSAP)
8. What is the first step in gaining leadership support for a Security Awareness
Program?
o A. Conducting a security audit
o B. Developing a detailed budget
o C. Communicating the value and benefits of the program
o D. Hiring a security consultant
Answer: C. Communicating the value and benefits of the program
Explanation: The initial step in gaining leadership support is to effectively
communicate the value and benefits of the Security Awareness Program to the
leadership.
9. An effective Advisory Board in a Security Awareness Program should include
representatives from which groups?
o A. Only the IT department
o B. Various departments across the organization
o C. External cybersecurity consultants only
o D. The finance department
Answer: B. Various departments across the organization
Explanation: An effective Advisory Board should include representatives from
different departments to ensure a comprehensive and inclusive approach to security
awareness.
10. What is a key component of developing a strategic plan for managing human
risk?
o A. Implementing the latest technology
o B. Prioritizing behaviors that mitigate top human risks
o C. Conducting annual security audits
o D. Reducing the IT budget
Answer: B. Prioritizing behaviors that mitigate top human risks
Explanation: Developing a strategic plan involves prioritizing the behaviors that are
crucial for managing and mitigating the identified top human risks.
11. What is the purpose of conducting a human risk assessment in cybersecurity?
o A. To identify the strengths and weaknesses of employees
o B. To identify and prioritize top human risks within the organization
o C. To evaluate the effectiveness of current security tools
o D. To determine employee satisfaction with security policies
3
, SANS Security Awareness Professional (SSAP)
Answer: B. To identify and prioritize top human risks within the organization
Explanation: The purpose of a human risk assessment is to identify and prioritize the
top human risks that could potentially impact the organization's cybersecurity.
12. Which term describes the process of making informed decisions to allocate
resources to mitigate risk?
o A. Risk assessment
o B. Risk acceptance
o C. Risk management
o D. Risk transfer
Answer: C. Risk management
Explanation: Risk management involves making informed decisions to allocate
resources effectively to mitigate identified risks.
13. What are the critical foundations for a successful security awareness program?
o A. Technical controls, physical security, and incident response
o B. Leadership support, program charter, and advisory board
o C. Employee training, regular audits, and compliance monitoring
o D. Budget allocation, hiring security staff, and purchasing software
Answer: B. Leadership support, program charter, and advisory board
Explanation: The critical foundations for a successful security awareness program
include gaining leadership support, establishing a program charter, and creating an
advisory board.
14. What role does Cyber Threat Intelligence (CTI) play in a human risk
assessment?
o A. It provides financial data for budgeting
o B. It offers insights into current and emerging threats to prioritize risks
o C. It helps in recruiting new employees
o D. It monitors physical security measures
Answer: B. It offers insights into current and emerging threats to prioritize risks
Explanation: Cyber Threat Intelligence (CTI) helps in identifying and understanding
current and emerging threats, which is crucial for prioritizing human risks in a risk
assessment.
4
