nerdexam
(ISC)2

CISSP · Question #966

Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?

The correct answer is B. Internal assessment of the training program's effectiveness. Measuring the success of a security awareness training program requires an internal assessment that objectively evaluates whether the training has changed employee behavior and reduced susceptibility to social engineering attacks.

Submitted by naveen.iyer· Mar 5, 2026Security Operations

Question

Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?

Options

  • AEmployee evaluation of the training program
  • BInternal assessment of the training program's effectiveness
  • CMultiple choice tests to participants
  • DManagement control of reviews

How the community answered

(56 responses)
  • A
    2% (1)
  • B
    93% (52)
  • C
    4% (2)
  • D
    2% (1)

Why each option

Measuring the success of a security awareness training program requires an internal assessment that objectively evaluates whether the training has changed employee behavior and reduced susceptibility to social engineering attacks.

AEmployee evaluation of the training program

Employee evaluation of the training program captures participant satisfaction and perceived value, not whether the training actually reduced susceptibility to social engineering threats, making it a measure of opinion rather than effectiveness.

BInternal assessment of the training program's effectivenessCorrect

An internal assessment of the training program's effectiveness directly measures real-world outcomes, such as reduced phishing click rates, improved incident reporting, and behavioral changes that indicate whether employees can recognize and resist social engineering attacks. This approach uses metrics like simulated phishing campaigns and security incident trends to provide quantifiable evidence of program success, rather than subjective or theoretical measures.

CMultiple choice tests to participants

Multiple choice tests measure knowledge retention of training content but do not assess whether employees can apply that knowledge to identify and resist real-world social engineering attacks in practice.

DManagement control of reviews

Management control of reviews is an administrative oversight mechanism that ensures processes are followed, but it does not directly measure behavioral change or the reduction of social engineering risk among employees.

Concept tested: Measuring security awareness training program effectiveness

Source: https://csrc.nist.gov/publications/detail/sp/800-50/final

Topics

#Security awareness training#Social engineering prevention#Program evaluation#Security metrics

Community Discussion

No community discussion yet for this question.

Full CISSP Practice