Which statement below is NOT true about security awareness, training,
and educational programs?

A.
Security education assists management in determining who should
be promoted.

B.
Security improves the users’ awareness of the need to protect
information resources.

C.
Awareness and training help users become more accountable for
their actions.

D.
Security education assists management in developing the in-house
expertise to manage security programs.

Explanation:
The purpose of computer security awareness, training, and education
is to enhance security by:
Improving awareness of the need to protect system resources
Developing skills and knowledge so computer users can perform
their jobs more securely
Building in-depth knowledge, as needed, to design, implement,
or operate security programs for organizations and systems
Making computer system users aware of their security responsibilities
and teaching them correct practices helps users change their
behavior. It also supports individual accountability because without
the knowledge of the necessary security measures and to how to use
them, users cannot be truly accountable for their actions. Source:
National Institute of Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special Publication 800-12.