Security Awareness, Education, and Training
Establish and maintain a security awareness, education, and training program
Three levels of security awareness, education, and training:
Awareness — for everyone. Goal: change behavior. Phishing simulations, posters, newsletters, gamification.
Training — role-specific skills. Secure coding for developers, system hardening for admins, IR drills for managers.
Education — deep expertise. Degrees, certifications (like CISSP), research, conference attendance.
The exam tests which level is appropriate for which audience. The 2024 update added: gamification (points, badges, leaderboards), security champions (peer advocates in dev teams), and periodic content reviews for emerging tech (AI, deepfakes, crypto).
At a mature organization, security awareness operates as a continuous program, not a one-time event:
- Awareness (continuous): Monthly phishing simulations with click-rate tracking. Security newsletter with current threat intelligence. Onboarding module for new hires. Gamification — points for reporting suspicious emails, leaderboards by department, badges for completing modules.
- Training (role-specific, annual + on role change): Annual secure coding training for developers with hands-on labs. Incident response tabletop exercises for managers. System hardening workshops for infrastructure teams. Security champion program — trained advocates embedded in each development team.
- Education (career-long): CISSP certification sponsorship. Conference attendance budget. Research sabbaticals for senior security staff. Graduate degree tuition assistance for security specialization.
Program effectiveness is measured — not assumed. Key metrics: phishing click rates over time, incident reduction correlated to training cycles, quiz scores by department, time-to-report for suspicious activity.
| Level | Audience | Goal | Examples | Frequency |
|---|---|---|---|---|
| Awareness | Everyone | Change behavior | Phishing sims, posters, gamification | Continuous |
| Training | Role-specific | Build skills | Secure coding, hardening, IR drills | Annual + on role change |
| Education | Specialists | Deep expertise | Degrees, certifications, research | Career-long |
2024 additions you must know:
Gamification — points, badges, leaderboards to drive engagement
Security champions — peer advocates embedded in development teams
Periodic content reviews — updating programs for emerging tech: AI-generated deepfakes, cryptocurrency scams, prompt injection attacks
The HR Director is frustrated. Despite mandatory annual training, the phishing click rate hasn't improved.
The Stagnant Training Program
Mid-size enterprise · 3,000 employees · 28% click rateIn practice, most organizations still rely on annual CBT (computer-based training). It satisfies compliance requirements but rarely changes behavior. The best programs combine continuous micro-learning, peer-driven culture, and measurable outcomes. Security champions programs are increasingly common at tech companies but rare in traditional enterprises.
On the exam: The 2024 update explicitly calls out gamification, security champions, and periodic content reviews. If you see these in answer choices, they align with current guidance.
An employee in the finance department has failed the phishing simulation three consecutive times, clicking on simulated malicious links each time. The finance director wants action taken. The employee handles sensitive payment data daily.
Revoke network access + formal HR reprimand
Three strikes is enough. This employee is a persistent threat to the organization. Restrict access and document the disciplinary action.
Assign targeted remedial training
Awareness is about education, not punishment. Assign 1-on-1 coaching, focused phishing recognition training, and increase simulation frequency for this user.
Option B is correct — awareness programs educate, not punish
Option B: Users are business assets whose behavior needs shaping, not threats to be eliminated. Remedial training is the first response: targeted 1-on-1 coaching on phishing indicators, increased simulation frequency to build recognition skills, and possibly pairing with a security champion. Punitive measures come only after remedial training has repeatedly failed — and even then, the focus is on protecting the organization (access restrictions) rather than punishment.
Option A's kernel of truth: At some point, persistent non-compliance requires escalation. If remedial training fails multiple times, restricting access to sensitive systems is a legitimate compensating control. But it's the last resort, not the first response.
On the exam: "Think like a manager" means developing your people first. Punitive measures are last-resort escalations, not primary tools. The exam favors education over enforcement.
When you see "improve a stagnant awareness program": The 2024 answer is gamification + security champions + periodic content reviews. Longer annual training is wrong (more of the same). Punitive measures are wrong (education over enforcement). Converting awareness to technical education is wrong (they serve different audiences). The exam wants you to know the 2024-specific additions.
- A Increase the length of the annual CBT module from 45 minutes to 90 minutes
- B Implement gamification, security champions, and periodic content reviews for emerging threats
- C Introduce strict punitive measures for employees who fail phishing simulations
- D Convert all awareness content into deep technical education for every employee
Correct: B. The 2024 CISSP exam outline explicitly adds gamification, security champions, and periodic content reviews as modern awareness program elements. Longer CBT (A) is more of the same failing approach. Punitive measures (C) contradict the education-first principle. Converting everything to technical education (D) confuses awareness (behavior change for all) with education (deep expertise for specialists).