Compliance-vs-security
Compliance and security overlap heavily but aren't the same thing. The trap offers a compliance-flavored answer (documentation, attestation, audit) when the question is asking about the actual security control.
The Trap in One Sentence
You picked the compliance-flavored answer when the question asked for the security control. Compliance proves a posture; security creates it.
Pairs Candidates Confuse
Proves training vs prevents compromise
Proves controls existed vs detects when they fail
Says what should happen vs makes it happen
How to Avoid It
- →Compliance answers 'have we proven the control existed?'; security answers 'does the attack stop?'
- →If the stem says 'the most effective at preventing X', the answer is security, not compliance.
- →If the stem says 'demonstrate to auditors' or 'evidence', the answer is compliance.
Frequently Asked Questions
How do I recognize a compliance-vs-security trap in an exam question?
When one choice is documentation, attestation, training, or policy and another is an actual technical control or process, the question is testing whether you can distinguish proof-of-compliance from real security. The trap rewards the compliance-flavored answer when the stem is asking about effective defense.
What's the tell-tale stem phrasing that signals this trap?
Stems with "most effective at preventing," "strongest," "actually stops," or threat-specific language point to security mechanisms. Stems with "demonstrate," "evidence," "prove," "attest," or "audit" point to compliance. Match the verb to the answer type.
If a compliance answer and a security answer both seem to fit, how do I decide?
Compliance answers prove a control existed at a point in time. Security answers stop an attack from succeeding. "Annual training" proves training happened; "phishing-resistant MFA" prevents the attack. Match the dimension the stem asks for.
What's a real example of a compliance-vs-security trap?
Stem: "To MOST EFFECTIVELY prevent unauthorized access following credential phishing, the organization should…?" Choices: (a) require annual security-awareness training, (b) deploy phishing-resistant MFA (FIDO2/passkeys), (c) implement a written password policy, (d) conduct quarterly access reviews. (a) and (c) are compliance-flavored — they document expectations but don't stop phished credentials from being used. (b) is the security answer: passkeys can't be phished.
How is compliance-vs-security different from theory-vs-practice?
Compliance-vs-security: proof-of-control vs actual control. Theory-vs-practice: textbook ideal vs operationally feasible. They overlap when a compliance answer is the theoretical answer, but the dimension is different — compliance is about documentation/attestation, theory is about ideal design.
Why do item writers love this distractor mechanism?
Cybersecurity work is increasingly compliance-driven, and candidates often equate compliance with security. The exam discriminates candidates who understand the difference (which is a real-world differentiator in security architecture and engineering).
Where does this trap show up most often?
CISSP across most domains (especially Domain 1 governance and Domain 6 assessment). CISM and CISA built around it. CIPP/E for privacy-compliance vs data-protection. Sec+ Domain 5 (Governance) for policy-vs-control questions.
How do I deliberately drill against this archetype?
Use the trap drill linked from the section above to focus reps on this pattern. Build the verbal pattern: "compliance proves; security stops." Test every governance answer against "does this actually prevent the attack, or does it just create an artifact?"
Practice Against This Trap
6 cert-prep questions currently use this archetype as a distractor. Run a trap drill to face them in a row.
Run a Compliance-vs-security trap drill →Related Traps
- Theory-vs-practiceYou picked the textbook-correct answer when the scenario called for the practical/operational answer. Real-world constraints can flip the right move.
- Standard confusionYou conflated two similar standards. NIST RMF vs CSF, ISO 27001 vs 27002, SP 800-53 vs CSF — they overlap but aren't substitutes.
- Category confusionYou picked a control or concept from the wrong category. The four categories (preventive, detective, corrective, deterrent) sound interchangeable but each does a different job.