nerdexam
(ISC)2

CISSP · Question #298

Which of the following countermeasures is the MOST effective in defending against a social engineering attack?

The correct answer is B. Changing individual behavior. Social engineering attacks exploit human psychology rather than technical vulnerabilities, making behavioral change the most effective countermeasure since it addresses the root cause of susceptibility.

Submitted by saadiq_pk· Mar 5, 2026Security and Risk Management

Question

Which of the following countermeasures is the MOST effective in defending against a social engineering attack?

Options

  • AMandating security policy acceptance
  • BChanging individual behavior
  • CEvaluating security awareness training
  • DFiltering malicious e-mail content

How the community answered

(27 responses)
  • A
    7% (2)
  • B
    70% (19)
  • C
    4% (1)
  • D
    19% (5)

Why each option

Social engineering attacks exploit human psychology rather than technical vulnerabilities, making behavioral change the most effective countermeasure since it addresses the root cause of susceptibility.

AMandating security policy acceptance

Mandating security policy acceptance is a compliance-based administrative control that does not guarantee employees will internalize or act on the policy, leaving human behavior unchanged against social engineering tactics.

BChanging individual behaviorCorrect

Changing individual behavior directly addresses the human element that social engineering exploits, such as susceptibility to manipulation, trust exploitation, and poor decision-making under pressure. Unlike policies or training evaluations alone, actual behavioral change means employees instinctively verify identities, question unusual requests, and resist manipulation tactics. This is the only countermeasure that modifies the attack surface itself - the human - rather than addressing symptoms or procedural compliance.

CEvaluating security awareness training

Evaluating security awareness training measures the effectiveness of a program but is an assessment activity, not a direct countermeasure; it does not itself change how individuals respond to social engineering attempts.

DFiltering malicious e-mail content

Filtering malicious e-mail content is a technical control that addresses only one delivery channel (phishing emails) and does not protect against other social engineering vectors such as vishing, impersonation, or in-person pretexting.

Concept tested: Countermeasures against social engineering human vulnerabilities

Source: https://csrc.nist.gov/publications/detail/sp/800-50/final

Topics

#social engineering#security awareness#human factors#behavioral security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice