One purpose of a security awareness program is to modify:

A.
employee’s attitudes and behaviors towards enterprise’s security posture.

B.
management’s approach towards enterprise’s security posture.

C.
attitudes of employees with sensitive data.

D.
corporate attitudes about safeguarding data.

Explanation:
For an organization to achieve the desired results of its security program, it must communicate the what, how,
and why of security to its employees. Security-awareness training should be comprehensive, tailored for
specific groups, and organization-wide.The goal is for each employee to understand the importance of security to the company as a whole and to each
individual. Expected responsibilities and acceptable behaviors must be clarified, and noncompliance
repercussions, which could range from a warning to dismissal, must be explained before being invoked.
Security-awareness training is performed to modify employees’ behavior and attitude toward security. This can
best be achieved through a formalized process of security-awareness training.
Incorrect Answers:
B: It is not the purpose of security awareness training to modify management’s approach towards enterprise’s
security posture.
C: It is not the purpose of security awareness training to modify attitudes of employees with sensitive data only.
It should apply to all employees.
D: It is not the purpose of security awareness training to modify corporate attitudes about safeguarding data.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 130