2.6. Security Awareness and Training

💡 First Principle: Technical controls can block known attacks. Security awareness changes the human behavior that technical controls cannot address — the employee who clicks a phishing link, shares credentials, or tailgates someone into a secure area. A security-aware workforce is a control layer that operates where technology cannot.

Awareness and training are distinct: awareness creates a security-conscious mindset across the entire organization (everyone); training builds specific security skills in people with specific security responsibilities (IT staff, developers, security team). Education develops deep understanding for security professionals pursuing professional growth (CISSP candidates). The CISSP exam tests all three tiers.

Why this matters: Awareness program design — not just delivery — is tested. Knowing that phishing simulations exist is insufficient; the exam tests whether you understand effectiveness measurement, content review cycles, and how to design programs that change behavior rather than just create compliance.

⚠️ Common Misconception: "Annual security training is sufficient for an effective awareness program." Annual compliance training creates checkbox compliance, not security-aware behavior. Effective programs use continuous reinforcement: short monthly communications, simulated phishing campaigns with immediate feedback, security champions in business units, and event-triggered training (when an employee falls for a phishing simulation, immediate remediation training is far more effective than waiting for the annual cycle).