a) Wait for full confirmation from IT before acting

b) Immediately convene the incident response team and activate the incident response plan

c) Notify all staff to shut down their systems immediately without coordination

d) Escalate only to the CIO and await further direction

a) The Board of Directors

b) The Chief Information Security Officer (CISO) in consultation with the board of directors and senior executives

c) Any IT staff member noticing the issue

d) The external managed service provider

a) Assume all data is stolen

b) Wait for attackers to release data proof

c) Engage the forensics team to analyze network traffic and logs for data exfiltration evidence

d) Contact the regulator to confirm data loss

a) Silence until the attack is fully resolved

b) Publicly deny the incident immediately

c) Allow employees to post clarifications on social media

d) Coordinate internal updates and prepare approved external communication guided by legal and compliance teams

a) Acknowledge the incident, assure investigation and customer protection steps

b) Downplay the incident to avoid panic

c) Share all technical details publicly

d) Redirect media to IT for responses

a) Delay reporting until the ransom deadline

b) Promptly report the incident in line with legal and regulatory requirements

c) Report only after customer data is confirmed leaked

d) Only disclose if compelled by the regulator

a) Immediately pay to restore operations

b) Evaluate payment only after consulting law enforcement, legal counsel, and considering regulatory and ethical implications

c) Refuse payment under all circumstances

d) Let IT decide based on system downtime