Exam CISM topic 1 question 45 discussion

It is clear the other option does not work at full. Yet, option A wording makes it difficult "STRATEGY?"

I think the wording for option A is off. If they would have calles it "User Awareness Training" than I would have picked A instead of B. "Security Strategy Training" sounds off and I did not hear it before.

A. I know it seems off, but from the viewpoint of a former awareness/training professional who used to oversee phishing campaigns, some phishing emails can go undetected past email filtering. All the security controls can be put in place, but if a person is unaware of the risks and threats, and a phishing email successfully makes it through the email filtering system, it put the organization at risk. Also, technology is known to fail on occasion, just ask Crowdstrike.

B. Email filtering is a proactive measure that helps prevent phishing attacks by filtering out malicious emails before they reach users' inboxes.

From ISACA 15th ed CISM Reveiw section 2.7.11 - organization that does not have a formal information security training and awareness program. One set of vulnerabilities in this instance would stem from a lack of user awareness of security policies, standards and guidelines. Absent such awareness training, it has been shown that an organization is considerably more likely to suffer compromise from social engineering attacks such as phishing.

B . strategy training make no sense to end users . We should conduct user awareness training with specific phishing content to users .

B, based upon real world evidence. My company has 3000 employees, with about a 5% failure rate on every phishing campaign we run (people that supply credentials). I used that for funding justification to have a second email filtering solution integrated. Even the leaders in phishing tests (Proofpoint) say that phishing exercises only improves compliance by 1/3. For anyone who actually works protecting a company from spam/phishing... its B.

Recent studies indicate that more than 90 percent of breaches begin with phishing attacks. Arguably, security awareness training is one of the most important defenses available for an organization, given that with even the best spam filters, some phishing attacks do successfully penetrate even the best defenses.

Phishing attacks involve sending fraudulent emails that impersonate legitimate organizations to trick recipients into revealing personal information or clicking on malicious links. Email filtering can effectively block these phishing emails from reaching users' inboxes. Here's why the other options are not as effective: A. Security strategy training: While security strategy training can raise awareness of phishing attacks, it doesn't prevent them from being sent.

Email filtering is a proactive measure that helps prevent phishing attacks by filtering out malicious emails before they reach users' inboxes. Effective email filtering solutions can identify and block phishing emails based on various indicators, such as suspicious links, attachments, or content. This reduces the likelihood of users falling victim to phishing attempts. While security strategy training (option A) is important for educating users about recognizing and avoiding phishing attacks, email filtering provides an additional layer of defense by blocking malicious emails at the email gateway. Network encryption (option C) and application whitelisting (option D) are valuable security measures but are not specifically designed to address the primary threat vector of phishing attacks, which often involve deceptive emails.

Only training and awareness stop phishing. As mail filtering has technology constraints to identify the phishing mails.

I m confused here. I am leaning towards B - Email filtering. If A is Security Awareness training then it is A. How is Security Strategy Training suitable for the mass employee?

A. Security strategy training

Going by the exact options i would pick Email Filtering. Security Strategy training shouldn't be the answer. But if they meant Security Awareness Training, then that is the answer.

B. Email filtering is the BEST option to protect against phishing attacks. While options like security strategy training (option A) and application whitelisting (option D) are valuable components of a comprehensive security strategy, they may not directly address the initial point of entry for many phishing attacks—deceptive emails. Network encryption (option C) primarily focuses on protecting data in transit and may not be directly related to phishing email prevention.

Answer is A. Awareness and training is the best way to prevent the phishing incident.

A. The only answer thats appropriate to mitigate social engineering is training/awareness.