Security awareness training — SY0-701
Learn how Security+ tests security awareness training: the NIST learning continuum levels, exam traps, and how to classify awareness vs. training scenarios.
WHAT IT IS
Security awareness training is an organizational program that uses two distinct but complementary mechanisms — awareness activities and training instruction — to shape how employees recognize, avoid, and respond to security threats.
NIST SP 800-50r1 defines awareness as "the ability of the user to recognize and avoid behaviors that could compromise cybersecurity and to act wisely and cautiously to increase cybersecurity." The same source defines training as "instruction or learning activity to enhance the employee's capacity to perform specific job functions and tasks by focusing on skills, concepts, knowledge, and attitudes related to performing a job."
A security awareness training program combines both levers: awareness activities reach a broad audience and keep security top of mind, while training instruction develops the job-specific skills people need to act on what they now recognize.
Mental model
NIST SP 800-50 describes a learning continuum with three levels — awareness, training, and education — each building on the previous:
- Awareness — You notice a threat. (Broad audience, passive reception, behavioral change.)
- Training — You know how to handle it. (Role-specific, active skill-building, job performance.)
- Education — You understand why it works that way. (Specialists, multidisciplinary, strategic vision.)
A security awareness training program explicitly spans the first two levels. It is not a single event; it is an ongoing organizational capability.
When to use it
The exam tests whether candidates can distinguish the three levels of the continuum. Use this table to sort scenario details into the correct level:
| Feature | Awareness | Training | Education |
|---|---|---|---|
| NIST SP 800-50 description | Focuses attention on security; learners passively receive information | Produces relevant and needed security skills and competencies by practitioners | Integrates skills into a common body of knowledge; multidisciplinary study |
| Audience | All employees, broad reach | Practitioners of relevant functional specialties | Security specialists and professionals |
| Learner mode | Passive reception | Active skill-building | Analytical, integrative |
| Goal | Recognize and avoid risky behavior | Perform specific job functions securely | Vision and pro-active response |
| Example delivery | Poster, newsletter, short video | Hands-on workshop, role-based exercise | Degree program, professional certification curriculum |
When a scenario describes reaching all employees with a simple message about clicking suspicious links, that is awareness. When it describes teaching the helpdesk team to verify caller identity before resetting passwords, that is training.
COMMON MISCONCEPTION
The exam exploits the assumption that "security awareness training" is a single, uniform activity applied the same way to everyone.
NIST SP 800-50 explicitly distinguishes the two: "In awareness settings, the learner is the recipient of information, whereas the learner in a training environment has a more active role." Candidates who treat awareness and training as synonyms will misread scenario cues. A program that reaches all employees with a phishing-recognition video is delivering awareness — not training — even if the organization labels it "security awareness training" in its policy documentation.
A second trap: equating security awareness training with phishing simulations. Phishing simulations are one delivery mechanism that can support an awareness activity (recognizing a threat) or a training exercise (practicing the correct response procedure). The simulation is not the program — it is one tool within it.
How it shows up on the exam
Questions targeting this concept ask candidates to classify a described activity into the correct level of the learning continuum, or to select the appropriate program component for a given organizational gap.
Cognitive signals to watch for:
- The scenario describes an organization-wide communication about a new threat — this points toward awareness, because NIST SP 800-50 describes awareness as "focusing attention on security concerns" for broad audiences.
- The scenario describes building a specific procedural skill in a defined job role — this points toward training, which NIST SP 800-50r1 says is "designed to change what employees know and how they work."
- A scenario mentions specialists developing policy, integrating security principles across disciplines, or producing strategic recommendations — this points toward education, the level NIST SP 800-50 reserves for "IT security specialists and professionals capable of vision and pro-active response."
Candidates should read carefully for the audience scope (all staff vs. role-specific vs. specialist), the learner mode (passive vs. active), and the outcome described (recognition vs. skill vs. understanding).
Related concepts
- Phishing simulation — a common delivery mechanism used within awareness and training programs to test recognition and response to social engineering attempts
- Insider threat awareness — a topic area frequently addressed by security awareness programs, targeting the risk that authorized insiders may cause harm wittingly or unwittingly
- Security governance — the oversight layer that sets policy mandating security awareness training and measures its effectiveness across the organization
Sources
Every claim on this page traces to the public exam blueprint and official documentation: