nerdexam
(ISC)2

CISSP · Question #253

Which of the following is the BEST method to reduce the effectiveness of phishing attacks?

The correct answer is A. User awareness. Phishing attacks rely on deceiving users through social engineering, making human awareness the most effective long-term defense. Technical controls alone cannot fully compensate for a user who voluntarily provides credentials or clicks malicious links.

Submitted by takeshi77· Mar 5, 2026Security and Risk Management

Question

Which of the following is the BEST method to reduce the effectiveness of phishing attacks?

Options

  • AUser awareness
  • BTwo-factor authentication
  • CAnti-phishing software
  • DPeriodic vulnerability scan

How the community answered

(30 responses)
  • A
    77% (23)
  • B
    13% (4)
  • C
    7% (2)
  • D
    3% (1)

Why each option

Phishing attacks rely on deceiving users through social engineering, making human awareness the most effective long-term defense. Technical controls alone cannot fully compensate for a user who voluntarily provides credentials or clicks malicious links.

AUser awarenessCorrect

User awareness training is the best method because phishing is fundamentally a social engineering attack that targets human behavior rather than technical vulnerabilities. When users can recognize phishing indicators-such as spoofed sender addresses, urgency cues, and suspicious URLs-they can avoid the attack before any technical control is needed. Security awareness programs address the root cause by reducing the likelihood that a user will be successfully deceived in the first place.

BTwo-factor authentication

Two-factor authentication can limit account compromise after credentials are stolen, but it does not prevent the user from being phished or from clicking a malicious link that delivers malware.

CAnti-phishing software

Anti-phishing software can filter known malicious emails and URLs, but it is reactive and signature-dependent, meaning novel or sophisticated phishing campaigns can bypass it, leaving aware users as the last line of defense.

DPeriodic vulnerability scan

Periodic vulnerability scans identify technical weaknesses in systems and software, but phishing is a social engineering technique that exploits human trust rather than software vulnerabilities, so scanning provides no direct mitigation.

Concept tested: Social engineering mitigation through security awareness training

Source: https://www.cisa.gov/topics/cyber-threats-and-advisories/phishing

Topics

#phishing#security awareness#social engineering#user training

Community Discussion

No community discussion yet for this question.

Full CISSP Practice