# Security Culture and Awareness One-sentence definition: Organization-wide behaviors and beliefs that prioritize secure actions through training, reinforcement, and leadership example. ## Key Facts - Program elements: role-based training, phishing sims, just-in-time prompts. - Align content to risks (e.g., social engineering, data handling). - Measure via completion, phishing fail rate, reporting rate (KPI/KRI). - Positive reinforcement beats punitive-only approaches. - Leadership modeling and communications shape culture. - Integrate into onboarding, change, and incident lessons learned. - **Label:** **Human layer** control; cost-effective risk reduction. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose controls that improve human behavior and reduce risk. **Mnemonic:** “Teach, Test, Tune.” ## Mini Scenario Q: Repeated phishing clicks—most impactful next step? A: Targeted training + simulated phishing + positive feedback loop. ## Revision Checklist - List 3 program elements. - Name 2 metrics that show improvement. - Link a top risk to a training module. ## Related [[Acceptable Use Policy (AUP)]] · [[Control Types and Categories]] · [[Compliance and Regulatory Concepts]] · [[Security Governance]] · [[Threat vs Vulnerability vs Risk]] · [[Domain 1 - Index]]