# Security Awareness and Training Backlink: [[Domain 1 - Index]] **Definition:** Programs to inform and train personnel to recognize and respond to security risks. ## Key Facts - Awareness: broad messaging; Training: role-based skills; Education: advanced. - Topics: phishing, social engineering, data handling, incident reporting. - Measure via completion rates, test scores, incident trends. - Tailor by role (developers, admins, execs, contractors). - Refresh periodically; update after incidents. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Pick program improvements after incidents - Distinguish awareness vs. training vs. education >[!note] **Mnemonic** - “A T E: Aware, Train, Educate.” ### Example Q: High click rates on phish. Best next step? A: Targeted training + simulated campaigns. ## Revision Checklist - [ ] Define A/T/E differences - [ ] List 4 core topics - [ ] Identify 2 metrics - [ ] Address contractor onboarding ## Related [[Social Engineering and Insider Threats]] · [[Security Policy Types]] · [[Incident Response Lifecycle]] · [[Security Metrics, KPIs, and KRIs]] · [[Security Governance]] #cisSP #domain-1 #concept