Free ISC2 CC Certified in Cybersecurity Actual Exam Questions - Question 3 Discussion

Option C makes the most sense since Security Awareness Training is more of a program than a guiding principle. The others are all foundational concepts that shape security policies directly.

I’m with those who say C here. Security Awareness Training feels like a practice or process rather than a core principle. Least Privilege, Zero Trust, and Separation of Duties all describe foundational ideas guiding how security is structured, while training supports those ideas but isn’t one itself. So I’d say C.

A/C? I see why people say C, but training isn’t a principle; it’s more of a method to enforce them. Zero Trust (B) is definitely a model, but it’s based on principles like never trust, always verify.

It’s B for me. Zero Trust is more of a security model or strategy, not a standalone principle like Least Privilege or Separation of Duties. Those others are foundational rules you apply everywhere, whereas Zero Trust combines several principles into a broader approach. Security Awareness Training is definitely about people, but it supports those principles rather than being one itself.

C imo. Awareness training is definitely important but feels more like a practice or control, not a core security principle like the others that directly govern system design.

Probably B. Zero Trust feels more like a security framework or approach rather than a strict principle like Least Privilege or Separation of Duties.

Not C, because Security Awareness Training is a process, not a principle like the others.

I think C stands out here. Security Awareness Training is more of an activity or process, not a core security principle like Least Privilege or Zero Trust, which guide how systems are designed and operated. The others all seem to represent foundational ideas rather than specific actions or programs. So C feels like the odd one out based on that.

D imo, Separation of Duties is definitely a key security control but more of a policy or practice than a principle like Least Privilege or Zero Trust. The others focus on fundamental concepts guiding security design, while Separation of Duties is about how tasks are divided to prevent fraud or error. That makes D stand out as less of a “principle” per se.

C imo, because Least Privilege, Zero Trust, and Separation of Duties all deal directly with controlling access and reducing risk through technical or procedural means. Security Awareness Training is more about educating people rather than a core security principle itself. It’s important, but it doesn’t fit the same category as the others that define how security is architected or enforced.

Makes sense to say C isn’t a principle since it’s more of an action or program to raise awareness, not a core concept guiding security design. B’s Zero Trust is a broader model but still built on principles like least privilege, so it feels more foundational than training. So C fits best as the “not a principle” option here.

B/C? Zero Trust is actually a model or strategy, not a principle by itself, kinda like training. Least Privilege and Separation of Duties are classic foundational principles that guide how access is managed. So both B and C feel more like approaches or practices rather than core principles. But since training is definitely about behavior and education, while Zero Trust defines trust boundaries technically, I’d say C is less of a principle and more of a supporting practice.

C, because training supports principles but isn’t one itself.

D imo, Separation of Duties is definitely a security principle aimed at reducing risk by dividing critical tasks. Security Awareness Training (C) feels more like a program to support principles rather than a principle itself. Zero Trust (B) might be more of a framework or model, but it’s still based on core principles like never trust, always verify, so it fits better than training does.

It’s C, since training isn’t a core security principle but more of a support measure.

B/C? Zero Trust feels like a broader approach or strategy, not a strict principle, while training is definitely not a principle but more of a support activity. Either way, both seem less “principle” than A and D.

C. I agree that Security Awareness Training is more of an activity or process to improve security culture rather than a foundational principle like the other options. The other three focus on design and control concepts that directly influence system architecture and policy. So it fits better as a supportive measure, not a core principle itself.

C. Security Awareness Training is more about teaching and behavior change, not a fundamental principle that guides system security design like the others.

I’m going with C too. Least Privilege, Zero Trust, and Separation of Duties are all about controlling access and trust, which are core principles. Training is important but it’s more about educating people rather than a principle that shapes security policies directly.

It’s B for me. Zero Trust is a security framework or model, not a core principle like least privilege or separation of duties, which are foundational rules.