Conquer the 2025 CISSP Challenge – Master Your InfoSec Skills with Confidence!

Security controls aimed at changing user behavior are best characterized by awareness programs. These programs are designed to inform, educate, and train users about security policies, practices, and procedures in an effort to foster an organizational culture that prioritizes cybersecurity. The goal of these programs is to encourage users to adopt safer behaviors, recognize potential threats, and understand the importance of their role in maintaining security.

Awareness programs often include training sessions, workshops, and ongoing communications that address various security topics, such as phishing tactics, password management, and social engineering. By increasing awareness, organizations aim to reduce the likelihood of user errors and improve the overall security posture.

In contrast, other options refer to distinct categories of security controls. Physical security measures are focused on protecting physical assets from unauthorized access or damage, while technical security controls involve hardware and software mechanisms designed to protect information systems. Administrative controls, on the other hand, consist of policies and procedures that dictate how an organization manages its security practices but do not specifically target behavior modification in the way awareness programs do.