CISSP · Question #253
Which of the following is the BEST method to reduce the effectiveness of phishing attacks?
The correct answer is A. User awareness. Phishing attacks rely on deceiving users through social engineering, making human awareness the most effective long-term defense. Technical controls alone cannot fully compensate for a user who voluntarily provides credentials or clicks malicious links.
Question
Options
- AUser awareness
- BTwo-factor authentication
- CAnti-phishing software
- DPeriodic vulnerability scan
How the community answered
(30 responses)- A77% (23)
- B13% (4)
- C7% (2)
- D3% (1)
Why each option
Phishing attacks rely on deceiving users through social engineering, making human awareness the most effective long-term defense. Technical controls alone cannot fully compensate for a user who voluntarily provides credentials or clicks malicious links.
User awareness training is the best method because phishing is fundamentally a social engineering attack that targets human behavior rather than technical vulnerabilities. When users can recognize phishing indicators-such as spoofed sender addresses, urgency cues, and suspicious URLs-they can avoid the attack before any technical control is needed. Security awareness programs address the root cause by reducing the likelihood that a user will be successfully deceived in the first place.
Two-factor authentication can limit account compromise after credentials are stolen, but it does not prevent the user from being phished or from clicking a malicious link that delivers malware.
Anti-phishing software can filter known malicious emails and URLs, but it is reactive and signature-dependent, meaning novel or sophisticated phishing campaigns can bypass it, leaving aware users as the last line of defense.
Periodic vulnerability scans identify technical weaknesses in systems and software, but phishing is a social engineering technique that exploits human trust rather than software vulnerabilities, so scanning provides no direct mitigation.
Concept tested: Social engineering mitigation through security awareness training
Source: https://www.cisa.gov/topics/cyber-threats-and-advisories/phishing
Topics
Community Discussion
No community discussion yet for this question.