After several employees clicked on a realistic phishing email, management wants a control that both improves user behavior and gives the security team a way to measure improvement over time. Which approach is best?
Simulated phishing with feedback and training improves behavior and provides measurable results across multiple campaign rounds.
Why this answer
Simulated phishing campaigns with immediate feedback and follow-up training directly address user behavior by providing a safe, controlled environment where employees can learn to recognize phishing attempts. This approach also gives the security team measurable metrics (e.g., click rates over time) to track improvement, aligning with the goal of both behavioral change and quantifiable assessment.
Exam trap
CompTIA often tests the distinction between administrative controls (like policies or reminders) and technical controls that provide both behavioral change and measurable outcomes, leading candidates to choose a simple policy reminder (Option A) instead of a proactive, data-driven approach like simulated phishing.
How to eliminate wrong answers
Option A is wrong because a company-wide reminder is a one-time, passive communication that does not provide measurable data or actively change user behavior through practice and reinforcement. Option C is wrong because blocking all external email is an overly restrictive technical control that disrupts legitimate business communication and does not improve user awareness or provide a metric for behavioral improvement. Option D is wrong because requiring weekly password changes does not address phishing susceptibility, can lead to weaker password practices (e.g., predictable patterns), and provides no direct feedback or measurement of phishing awareness.