joey/SEC-cyBERT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
SEC-cyBERT/labelapp/lib/quiz-questions.ts
Joey Eamigh 8e773d5335
deployment and minor tweaks
2026-03-29 01:15:37 -04:00

436 lines
27 KiB
TypeScript
Raw Blame History

export interface QuizQuestion {
id: string;
type:
| "person-vs-function"
| "materiality-disclaimer"
| "qv-counting"
| "spac-exception";
paragraphText: string;
question: string;
options: { value: string; label: string }[];
correctAnswer: string;
explanation: string;
}
const PERSON_VS_FUNCTION_OPTIONS = [
{ value: "Management Role", label: "Management Role" },
{ value: "Risk Management Process", label: "Risk Management Process" },
];
const MATERIALITY_OPTIONS = [
{ value: "Strategy Integration", label: "Strategy Integration" },
{ value: "None/Other", label: "None/Other" },
];
const QV_OPTIONS = [
{ value: "2", label: "Specificity 2 — Sector-Adapted" },
{ value: "3", label: "Specificity 3 — Firm-Specific" },
{ value: "4", label: "Specificity 4 — Quantified-Verifiable" },
];
const SPAC_OPTIONS = [
{ value: "None/Other", label: "None/Other" },
{ value: "Board Governance", label: "Board Governance" },
{ value: "Risk Management Process", label: "Risk Management Process" },
{ value: "Management Role", label: "Management Role" },
];
const PERSON_VS_FUNCTION_QUESTION =
"What content category best describes this paragraph?";
const MATERIALITY_QUESTION =
"What content category best describes this paragraph?";
const QV_QUESTION = "What specificity level best describes this paragraph?";
const SPAC_QUESTION = "What content category best describes this paragraph?";
export const QUIZ_QUESTIONS: QuizQuestion[] = [
// ============================================================
// PERSON-VS-FUNCTION (10 questions)
// ============================================================
{
id: "pvf-1",
type: "person-vs-function",
paragraphText:
"Our Vice President of Information Security, who holds CISSP and CISM certifications and has over 20 years of experience in cybersecurity and information technology, reports directly to our Chief Information Officer.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Management Role",
explanation:
'This paragraph is about the PERSON: their certifications (CISSP, CISM), experience (20 years), and reporting line (to the CIO). The person-vs-function test: if you remove the credentials and reporting line, there is no remaining content about cybersecurity processes or activities. The paragraph tells you WHO the person is, not WHAT the program does.',
},
{
id: "pvf-2",
type: "person-vs-function",
paragraphText:
"Our CISO oversees the Company's comprehensive cybersecurity program, which includes regular risk assessments, vulnerability scanning, penetration testing, and incident response planning aligned with the NIST Cybersecurity Framework.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Risk Management Process",
explanation:
'The CISO is mentioned once as attribution ("Our CISO oversees"), but the paragraph\'s substantive content describes the program: risk assessments, vulnerability scanning, penetration testing, incident response planning, NIST CSF alignment. Remove "Our CISO oversees" and the paragraph still describes a complete cybersecurity program. The person-vs-function test clearly points to Risk Management Process.',
},
{
id: "pvf-3",
type: "person-vs-function",
paragraphText:
"Our Chief Information Security Officer, Jane Smith, has served in this role since 2020. Prior to joining the Company, Ms. Smith spent 15 years in cybersecurity leadership positions at major financial institutions, including serving as the Deputy CISO at JPMorgan Chase.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Management Role",
explanation:
"The entire paragraph is about the person: her name (Jane Smith), tenure (since 2020), career background (15 years at financial institutions), and prior role (Deputy CISO at JPMorgan Chase). There is no description of cybersecurity processes or activities. This is clearly about WHO the person is.",
},
{
id: "pvf-4",
type: "person-vs-function",
paragraphText:
"The Company's cybersecurity team, led by our CISO, conducts quarterly vulnerability assessments and annual penetration testing of all customer-facing systems, and maintains 24/7 monitoring through our Security Operations Center.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Risk Management Process",
explanation:
'The CISO appears as brief attribution ("led by our CISO"), but the paragraph describes program activities: vulnerability assessments, penetration testing, 24/7 monitoring, and the SOC. Remove the CISO reference and you still have a complete description of cybersecurity operations. The person-vs-function test clearly points to Risk Management Process.',
},
{
id: "pvf-5",
type: "person-vs-function",
paragraphText:
"Mr. David Reyes serves as our Chief Information Security Officer and has held this position since March 2021. Mr. Reyes holds a Master of Science in Cybersecurity from Carnegie Mellon University and maintains CISSP, CISM, and CRISC certifications. He has over 25 years of experience in information security, including senior roles at Lockheed Martin and Northrop Grumman.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Management Role",
explanation:
"Every sentence is about the person: his name, tenure, education (Carnegie Mellon), certifications (CISSP, CISM, CRISC), years of experience, and career history (Lockheed Martin, Northrop Grumman). There are zero descriptions of cybersecurity processes or program activities. This is unambiguously Management Role.",
},
{
id: "pvf-6",
type: "person-vs-function",
paragraphText:
"Under the leadership of our CISO, we have implemented a multi-layered defense strategy that includes network segmentation, endpoint detection and response, data loss prevention, and security information and event management. Our security team monitors all critical systems on a continuous basis and conducts incident response tabletop exercises on a quarterly basis.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Risk Management Process",
explanation:
'The CISO is mentioned only as brief attribution ("Under the leadership of our CISO"). The paragraph\'s content describes program elements: network segmentation, EDR, DLP, SIEM, continuous monitoring, and tabletop exercises. Remove the CISO attribution and the paragraph is entirely about what the cybersecurity program does. This is Risk Management Process.',
},
{
id: "pvf-7",
type: "person-vs-function",
paragraphText:
"Our information security program is managed by our Vice President of Cybersecurity, who reports to our Chief Technology Officer. The VP of Cybersecurity is responsible for the day-to-day management of the Company's cybersecurity risk management program and leads a team of security professionals responsible for identifying, assessing, and mitigating cybersecurity threats.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Risk Management Process",
explanation:
"While this paragraph names the VP of Cybersecurity and their reporting line, the dominant content describes the function: day-to-day management of the cybersecurity risk management program, and a team responsible for identifying, assessing, and mitigating threats. The person-vs-function test: remove the title and reporting line, and the paragraph still describes a cybersecurity program. The brief reporting structure is subordinate to the process description.",
},
{
id: "pvf-8",
type: "person-vs-function",
paragraphText:
"Ms. Angela Torres, our Senior Vice President and Chief Information Security Officer, joined the Company in 2018. Ms. Torres previously served as the Global Head of Cybersecurity at Citigroup for seven years. She is a member of the Board of Directors of the Center for Internet Security (CIS) and serves on the advisory board of the Financial Services Information Sharing and Analysis Center (FS-ISAC).",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Management Role",
explanation:
"The paragraph is entirely about the person: her name, title, tenure (since 2018), prior employer (Citigroup), duration of prior role (seven years), and external board memberships (CIS, FS-ISAC). There are no descriptions of the company's cybersecurity processes or activities. This is clearly Management Role.",
},
{
id: "pvf-9",
type: "person-vs-function",
paragraphText:
"Our CISO and dedicated cybersecurity team maintain and regularly update the Company's incident response plan, which establishes protocols for detecting, containing, eradicating, and recovering from cybersecurity incidents. The plan is tested through annual tabletop exercises involving cross-functional participants from Legal, Compliance, Finance, and Communications.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Risk Management Process",
explanation:
'The CISO is mentioned alongside "dedicated cybersecurity team" as attribution, but the content describes the incident response plan and its elements: detection, containment, eradication, recovery protocols, annual testing, and cross-functional participation. The person-vs-function test: remove the CISO reference and the paragraph fully describes a cybersecurity process. This is Risk Management Process.',
},
{
id: "pvf-10",
type: "person-vs-function",
paragraphText:
"Management is responsible for assessing and managing cybersecurity risks within the organization.",
question: PERSON_VS_FUNCTION_QUESTION,
options: PERSON_VS_FUNCTION_OPTIONS,
correctAnswer: "Management Role",
explanation:
'Although this paragraph is extremely generic, its subject is "Management" and its content is about role responsibility rather than describing any specific process, tool, or methodology. There is no description of HOW cybersecurity risks are assessed or managed — only THAT management is responsible. Per the codebook, this is Management Role at Specificity 1 (generic, no named roles or structure).',
},
// ============================================================
// MATERIALITY DISCLAIMERS (8 questions)
// ============================================================
{
id: "mat-1",
type: "materiality-disclaimer",
paragraphText:
"Cybersecurity risks have not materially affected our business strategy, results of operations, or financial condition.",
question: MATERIALITY_QUESTION,
options: MATERIALITY_OPTIONS,
correctAnswer: "Strategy Integration",
explanation:
'This is an explicit materiality assessment: the company states that cybersecurity risks have not "materially affected" its business. Per the codebook, any paragraph that explicitly assesses whether cybersecurity risks have or could materially affect the company is Strategy Integration, even when the language is boilerplate.',
},
{
id: "mat-2",
type: "materiality-disclaimer",
paragraphText:
"For additional information about risks related to our information technology systems, see Part I, Item 1A, 'Risk Factors.'",
question: MATERIALITY_QUESTION,
options: MATERIALITY_OPTIONS,
correctAnswer: "None/Other",
explanation:
"This is a pure cross-reference that points the reader to another section of the filing. There is no materiality assessment — no statement about whether cybersecurity risks have or could materially affect the business. Per the codebook, a pure cross-reference with no materiality conclusion is None/Other.",
},
{
id: "mat-3",
type: "materiality-disclaimer",
paragraphText:
"We have not identified any cybersecurity incidents that have materially affected us. For more information, see Item 1A, Risk Factors.",
question: MATERIALITY_QUESTION,
options: MATERIALITY_OPTIONS,
correctAnswer: "Strategy Integration",
explanation:
'This paragraph contains both a materiality assessment ("have not... materially affected us") and a cross-reference. Per the codebook, the materiality assessment is the substantive content and the cross-reference is noise. A cross-reference appended to a materiality assessment does not change the classification. This is Strategy Integration.',
},
{
id: "mat-4",
type: "materiality-disclaimer",
paragraphText:
"Cybersecurity risks, including those described above, have not materially affected, and are not reasonably likely to materially affect, our business strategy, results of operations, or financial condition. However, like other companies, we have experienced threats from time to time. For more information about cybersecurity risks, see Part I, Item 1A, 'Risk Factors' in this Annual Report.",
question: MATERIALITY_QUESTION,
options: MATERIALITY_OPTIONS,
correctAnswer: "Strategy Integration",
explanation:
'Despite the generic threat mention ("we have experienced threats") and the cross-reference, this paragraph contains an explicit materiality assessment: risks "have not materially affected, and are not reasonably likely to materially affect" the company\'s business. Per the codebook, the materiality assessment governs the classification. The cross-reference and generic threat language are noise.',
},
{
id: "mat-5",
type: "materiality-disclaimer",
paragraphText:
"For a discussion of cybersecurity risks that may materially affect our business, see 'Risk Factors — Risks Related to Information Technology and Data Privacy' in Part I, Item 1A of this Annual Report on Form 10-K.",
question: MATERIALITY_QUESTION,
options: MATERIALITY_OPTIONS,
correctAnswer: "None/Other",
explanation:
'This is a cross-reference, not a materiality assessment. It mentions "materially affect" as part of a description of what is in another section, but the paragraph itself makes no substantive claim about whether cybersecurity risks have or could materially affect the business. The test: does this paragraph make a judgment about cyber risk impact? No — it only tells you where to find that discussion. This is None/Other.',
},
{
id: "mat-6",
type: "materiality-disclaimer",
paragraphText:
"As of the date of this filing, no cybersecurity threats or incidents have materially affected the Company or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. We maintain cybersecurity insurance coverage to help offset potential losses from cyber incidents.",
question: MATERIALITY_QUESTION,
options: MATERIALITY_OPTIONS,
correctAnswer: "Strategy Integration",
explanation:
'The paragraph opens with a clear materiality assessment ("no cybersecurity threats or incidents have materially affected the Company") and adds a note about insurance coverage. Both the materiality assessment and the insurance mention point to Strategy Integration. The paragraph makes an explicit strategic judgment about cyber risk\'s business impact.',
},
{
id: "mat-7",
type: "materiality-disclaimer",
paragraphText:
"See Part I, Item 1A, Risk Factors, and Part I, Item 1, Business, for additional information about our cybersecurity risk management program and associated risks.",
question: MATERIALITY_QUESTION,
options: MATERIALITY_OPTIONS,
correctAnswer: "None/Other",
explanation:
"This is a pure cross-reference pointing to two other sections of the filing. There is no materiality assessment, no substantive disclosure about cybersecurity risks or their business impact. Per the codebook, a pure cross-reference with no materiality conclusion is None/Other.",
},
{
id: "mat-8",
type: "materiality-disclaimer",
paragraphText:
"While we have experienced cybersecurity incidents in the past, none of these incidents, individually or in the aggregate, have materially affected, or are reasonably likely to materially affect, our business, results of operations, or financial condition, including our business strategy.",
question: MATERIALITY_QUESTION,
options: MATERIALITY_OPTIONS,
correctAnswer: "Strategy Integration",
explanation:
'This paragraph makes an explicit materiality assessment: past incidents "have [not] materially affected" the company. The acknowledgment of past incidents does not change the classification — the paragraph\'s purpose is to assess materiality, which is the hallmark of Strategy Integration per the codebook.',
},
// ============================================================
// QV FACT COUNTING (8 questions)
// ============================================================
{
id: "qv-1",
type: "qv-counting",
paragraphText:
"Our CISO oversees a dedicated cybersecurity team responsible for managing cyber risk across the enterprise.",
question: QV_QUESTION,
options: QV_OPTIONS,
correctAnswer: "3",
explanation:
'"CISO" is a cybersecurity-specific title on the codebook\'s IS list — that\'s one firm-specific fact. "Dedicated cybersecurity team" is a generic team reference (NOT list). "Managing cyber risk across the enterprise" is generic. One IS-list fact, no named standards, no QV-eligible facts = Specificity 3 (Firm-Specific).',
},
{
id: "qv-2",
type: "qv-counting",
paragraphText:
"We maintain cyber liability insurance with $100M aggregate coverage through AIG.",
question: QV_QUESTION,
options: QV_OPTIONS,
correctAnswer: "4",
explanation:
"This paragraph contains multiple verifiable facts: a specific dollar amount ($100M aggregate coverage) and a named insurer (AIG). Two or more hard verifiable facts = Specificity 4 (Quantified-Verifiable) per the codebook's QV counting rules.",
},
{
id: "qv-3",
type: "qv-counting",
paragraphText:
"Our incident response team conducts quarterly tabletop exercises.",
question: QV_QUESTION,
options: QV_OPTIONS,
correctAnswer: "1",
explanation:
'Apply the codebook\'s validation step: "quarterly" is a generic cadence (NOT list), "tabletop exercises" is a common practice (NOT list), and "incident response team" is a generic team reference (NOT list). After filtering, no IS-list facts remain. No named standards either. This is Specificity 1 (Generic Boilerplate) — it could appear unchanged in any company\'s filing.',
},
{
id: "qv-4",
type: "qv-counting",
paragraphText:
"Our cybersecurity program is aligned with the NIST Cybersecurity Framework and incorporates elements of ISO 27001. We conduct regular risk assessments and vulnerability scanning as part of our continuous monitoring approach.",
question: QV_QUESTION,
options: QV_OPTIONS,
correctAnswer: "2",
explanation:
'This paragraph names two recognized standards (NIST CSF and ISO 27001), which places it at Specificity 2. However, naming standards is NOT a firm-specific fact per the codebook — it only makes a paragraph Sector-Adapted. The activities described (risk assessments, vulnerability scanning, continuous monitoring) are generic practices. There are no firm-specific facts (no named tools, no named personnel, no dates, no dollar amounts). Specificity 2 (Sector-Adapted).',
},
{
id: "qv-5",
type: "qv-counting",
paragraphText:
"We operate a 24/7 Security Operations Center staffed by a team of 18 cybersecurity professionals. Our SOC uses CrowdStrike Falcon for endpoint detection and response and Splunk Enterprise Security as our SIEM platform. In fiscal 2024, our SOC processed over 2.3 billion security events and investigated 847 potential incidents.",
question: QV_QUESTION,
options: QV_OPTIONS,
correctAnswer: "4",
explanation:
"This paragraph is rich in verifiable facts: team size (18 professionals), named tools (CrowdStrike Falcon, Splunk Enterprise Security), specific time period (fiscal 2024), event volume (2.3 billion), and incident count (847). With far more than two hard verifiable facts, this is clearly Specificity 4 (Quantified-Verifiable).",
},
{
id: "qv-6",
type: "qv-counting",
paragraphText:
"Our CISO leads the Company's cybersecurity program, which includes risk assessments, vulnerability management, and incident response planning.",
question: QV_QUESTION,
options: QV_OPTIONS,
correctAnswer: "3",
explanation:
'The CISO title is a cybersecurity-specific role per the codebook\'s IS list, making this at least Firm-Specific. However, there is only one firm-specific fact (the CISO title). The activities listed (risk assessments, vulnerability management, incident response planning) are generic and do not count as verifiable facts. One firm-specific fact = Specificity 3 (Firm-Specific), not QV.',
},
{
id: "qv-7",
type: "qv-counting",
paragraphText:
"We engaged Deloitte to conduct an independent assessment of our cybersecurity program in fiscal 2024. The assessment identified no critical vulnerabilities and resulted in 12 recommendations for improvement, all of which have been addressed or are being remediated.",
question: QV_QUESTION,
options: QV_OPTIONS,
correctAnswer: "4",
explanation:
"Multiple verifiable facts: named third-party firm (Deloitte), specific time period (fiscal 2024), specific finding count (12 recommendations). Three or more hard verifiable facts easily qualifies for Specificity 4 (Quantified-Verifiable).",
},
{
id: "qv-8",
type: "qv-counting",
paragraphText:
"Our cybersecurity team conducts regular penetration testing and vulnerability assessments of our information technology infrastructure. We also engage external cybersecurity consultants to periodically evaluate our security posture.",
question: QV_QUESTION,
options: QV_OPTIONS,
correctAnswer: "3",
explanation:
'The mention of a "cybersecurity team" is a firm-specific fact (this company has a dedicated team), but there is only one such fact. The "external cybersecurity consultants" are unnamed and therefore do not count per the codebook\'s NOT list. "Regular" and "periodically" are generic cadences. One firm-specific fact = Specificity 3 (Firm-Specific).',
},
// ============================================================
// SPAC EXCEPTION (4 questions)
// ============================================================
{
id: "spac-1",
type: "spac-exception",
paragraphText:
"We are a special purpose acquisition company with no business operations. We have not adopted any cybersecurity risk management program. Our board of directors is generally responsible for oversight of cybersecurity risks, if any.",
question: SPAC_QUESTION,
options: SPAC_OPTIONS,
correctAnswer: "None/Other",
explanation:
'Per the codebook\'s SPAC exception: companies that explicitly state they have no operations and no cybersecurity program receive None/Other regardless of incidental board mentions. The board reference ("generally responsible... if any") is perfunctory, not substantive governance disclosure. The absence of a program is not a description of a program.',
},
{
id: "spac-2",
type: "spac-exception",
paragraphText:
"We do not consider that we face significant cybersecurity risk and have not adopted any formal processes for assessing cybersecurity risk.",
question: SPAC_QUESTION,
options: SPAC_OPTIONS,
correctAnswer: "None/Other",
explanation:
"The company explicitly states it has not adopted formal cybersecurity processes. Per the codebook, the absence of a program is not a program description. Even though the paragraph mentions cybersecurity risk, there is no substantive disclosure content. This is None/Other.",
},
{
id: "spac-3",
type: "spac-exception",
paragraphText:
"As a blank check company, we have no operations and therefore have limited exposure to cybersecurity risk. We have not implemented a formal cybersecurity risk management program. Our sponsor and management team are generally aware of cybersecurity risks and will seek to implement appropriate measures following the completion of our initial business combination.",
question: SPAC_QUESTION,
options: SPAC_OPTIONS,
correctAnswer: "None/Other",
explanation:
"This is a blank check company (SPAC) with no operations and no formal cybersecurity program. The mention of the sponsor and management team being \"generally aware\" is perfunctory — it does not describe any substantive management role, process, or governance structure. The forward-looking statement about implementing measures post-combination is aspirational, not disclosure. None/Other.",
},
{
id: "spac-4",
type: "spac-exception",
paragraphText:
"We are a newly formed company with limited operations. We have not yet established a formal cybersecurity risk management program. Our Chief Executive Officer and Chief Financial Officer are responsible for identifying and managing cybersecurity risks as they arise, although no specific cybersecurity policies or procedures have been adopted as of the date of this filing.",
question: SPAC_QUESTION,
options: SPAC_OPTIONS,
correctAnswer: "None/Other",
explanation:
"Despite naming the CEO and CFO as responsible for cybersecurity risks, the company explicitly states it has no formal program and no specific policies or procedures. Per the codebook, CEO and CFO are generic C-suite titles (NOT cybersecurity-specific), and the mention of them is perfunctory. The company has limited operations and no substantive cybersecurity disclosure. This is the SPAC/shell company exception: None/Other.",
},
];
/**
* Draw a balanced set of quiz questions: `count` / 4 per type (rounded),
* shuffled within each type and across the final set.
*/
export function drawQuizQuestions(count: number): QuizQuestion[] {
const types = [
"person-vs-function",
"materiality-disclaimer",
"qv-counting",
"spac-exception",
] as const;
const perType = Math.max(1, Math.floor(count / types.length));
const byType = new Map<string, QuizQuestion[]>();
for (const t of types) {
byType.set(
t,
QUIZ_QUESTIONS.filter((q) => q.type === t),
);
}
const selected: QuizQuestion[] = [];
for (const t of types) {
const pool = byType.get(t)!;
// Fisher-Yates shuffle on a copy
const shuffled = [...pool];
for (let i = shuffled.length - 1; i > 0; i--) {
const j = Math.floor(Math.random() * (i + 1));
[shuffled[i], shuffled[j]] = [shuffled[j], shuffled[i]];
}
selected.push(...shuffled.slice(0, perType));
}
// Shuffle the final selection
for (let i = selected.length - 1; i > 0; i--) {
const j = Math.floor(Math.random() * (i + 1));
[selected[i], selected[j]] = [selected[j], selected[i]];
}
return selected.slice(0, count);
}
Reference in New Issue View Git Blame Copy Permalink