(ISC)2 Certified in Cybersecurity Practice Exam

Security awareness instruction for email users is categorized as an administrative control. This is because administrative controls are focused on policies, procedures, and training that guide the behavior of individuals in an organization. By providing security awareness instruction, organizations are not only educating users about potential threats associated with email but also instilling policies and practices designed to mitigate those threats.

For instance, training can cover topics such as recognizing phishing attempts, the importance of password management, and safe browsing habits when using email. This type of control emphasizes the human aspect of security, reinforcing how proper education and awareness can lead to more secure behaviors among users.

In contrast, the other types of controls do not apply in this context. Finite controls typically refer to specific, clearly defined actions or responses, which doesn't encapsulate the broader aim of ongoing training and awareness. Physical controls are related to tangible security measures like locks or surveillance systems, and technical controls involve hardware and software solutions like firewalls and encryption. Thus, administrative controls, through training and policy enforcement, play a vital role in shaping how users interact with email securely.