Domain 5 of 5 · Chapter 4 of 4

Security Awareness Training

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified in Cybersecurity premium course — no separate purchase.

Included in this chapter:

  • The human is the most-targeted layer
  • The social-engineering attack catalog
  • Awareness vs training vs education, and password hygiene
  • Exam-pattern recognition: naming the attack and the term

Social-engineering attack types

AttackChannelTargetHow it works
PhishingEmail (mass)AnyoneFraudulent message lures a click, attachment, or credential entry
Spear phishingEmail (targeted)A specific person/groupPersonalized phishing using researched details to seem legitimate
WhalingEmail (targeted)Senior executivesSpear phishing aimed at high-value 'big fish' like a CEO or CFO
VishingVoice callAnyonePhone-based pretext to extract info or credentials ('voice phishing')
SmishingSMS / textAnyonePhishing via text message with a malicious link or callback number
PretextingAny channelAnyoneInventing a believable false scenario/role to justify the request
BaitingPhysical / onlineAnyoneDangling a lure (a 'lost' USB drive, a free download) carrying malware
TailgatingPhysical entryDoor accessFollowing an authorized person through a controlled door uninvited

Cheat sheet

  • People are the most-targeted security layer
  • Social engineering attacks the person, not the system
  • Phishing is the broad email lure; spear phishing is the targeted version
  • Whaling is spear phishing aimed at senior executives
  • Vishing is phishing by voice call; smishing is phishing by text
  • Pretexting invents a false story to justify the request
  • Baiting attaches the attack to something the victim wants
  • Tailgating follows an authorized person through a secure door
  • Awareness, training, and education answer what, how, and why
  • Awareness targets everyone; training targets a role
  • Education is the deepest, professional level
  • Awareness reinforcement is ongoing, not a one-time briefing
  • Use long, unique passwords for every account
  • No legitimate party ever asks for your password
  • MFA blunts a stolen password
  • Awareness changes behavior but does not enforce it
  • Training completion records are evidence of due diligence for auditors
  • Completion rate shows participation, not changed behavior
  • Start with a needs assessment and tailor content to each role

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST Glossary — Social Engineering Whitepaper
  2. NIST Glossary — Awareness (learning continuum) Whitepaper
  3. NIST SP 800-50 Rev. 1 — Building a Cybersecurity and Privacy Learning Program Whitepaper