CISA Question #52: Real Exam Question with Answer & Explanation

Question

Which of the following is MOST important to ensure when developing an effective security awareness program?

Options

• APhishing exercises are conducted post-training.
• BTraining personnel are information security professionals.
• COutcome metrics for the program are established.
• DSecurity threat scenarios are included in the program content.

Explanation

Establishing outcome metrics is crucial for an effective security awareness program to measure its success and identify areas for improvement.

Common mistakes.

• A. Phishing exercises are a valuable component for testing and reinforcing training, but without metrics, their effectiveness cannot be fully assessed.
• B. While having information security professionals conduct training is beneficial, effective training also relies on pedagogical skills, and the most important aspect is measuring if the training actually changes behavior, which metrics provide.
• D. Including security threat scenarios in content is good practice for relevance and engagement, but without measuring the outcome, the effectiveness of this content remains unknown.

Concept tested. Security awareness program effectiveness measurement

Reference. https://learn.microsoft.com/en-us/microsoft-365/compliance/security-awareness-training-overview?view=o365-worldwide

No community discussion yet for this question.