Effective CISSP Questions

You are planning the program for security awareness, training, and education. Which of the following is not the primary target audience who needs more knowledge and skills that will enable them to perform their jobs more effectively?
A. All employees
B. End-users
C. Security administrators
D. IT engineers

Wentz’s Book, The Effective CISSP: Security and Risk Management

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. All employees.

The IT Security Learning Continuum_NIST SP 800-50

The IT Security Learning Continuum (Source: NIST SP 800-50)

The question sentence, in fact,  is paraphrasing training or expressing the meaning of training using different words. According to NIST SP 800-50, “training is more formal, having a goal of building knowledge and skills to facilitate the job performance.”

All employees

“All employees” as a whole is an ideal target to accept or engage in awareness presentations or activities, but not a good target to accept training, which is applied to functional roles and responsibilities relative IT systems to developed relevant and needed skills and competencies.


End-users are users of information systems. They use or operate the information system to complete their job. They may need training at a beginning, intermediate, or advanced level for relevant and needed skills and competencies.

IT Engineers

IT engineers assume specific “functional roles and responsibilities relative IT systems.” They also need different levels of training.

Security Administrators

Security administrators need education, which also comprises training and awareness.

NIST SP 800-50

Learning is a continuum; it starts with awareness, builds to training, and evolves into education.

  • Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.
  • In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance.
  • A bridge or transitional stage between awareness and training consists of what NIST Special Publication 800-16 calls Security Basics and Literacy.
  • Training strives to produce relevant and needed security skills and competencies.
  • Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.

Source: NIST SP 800-50

ISSMP CBK, 2nd Edition

ISSMP CBK_Training

ISSMP CBK, 2nd Edition


  • NIST SP 800-16
  • NIST SP 800-50
  • NIST SP 800-100


My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply