312-50V11 · Question #607
When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training wou
The correct answer is B. Social engineering. Social engineering assessments directly measure human susceptibility to manipulation, making them the most effective method for determining whether end-user security awareness training is needed.
Question
When utilizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most effective in determining whether end-user security training would be beneficial?
Options
- AVulnerability scanning
- BSocial engineering
- CApplication security testing
- DNetwork sniffing
How the community answered
(50 responses)- A4% (2)
- B84% (42)
- C2% (1)
- D10% (5)
Why each option
Social engineering assessments directly measure human susceptibility to manipulation, making them the most effective method for determining whether end-user security awareness training is needed.
Vulnerability scanning identifies technical weaknesses in systems and software configurations, providing no insight into human behavior or susceptibility to social manipulation.
Social engineering techniques such as phishing simulations, pretexting, and baiting directly test whether users can recognize and resist manipulation attempts rather than identifying technical vulnerabilities. If users fall for simulated attacks, it demonstrates measurable gaps in security awareness that targeted training can remediate. No other listed technical assessment method can directly evaluate human behavioral risk, which is precisely what security awareness training is designed to reduce.
Application security testing evaluates the security of software code and its deployment configuration, which is entirely unrelated to measuring end-user awareness or resilience against social engineering.
Network sniffing captures and analyzes traffic for technical issues such as cleartext credentials or protocol anomalies, and does not assess user decision-making or security awareness.
Concept tested: Social engineering assessment for security awareness evaluation
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.