CISSP · Question #966
Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?
The correct answer is B. Internal assessment of the training program's effectiveness. Measuring the success of a security awareness training program requires an internal assessment that objectively evaluates whether the training has changed employee behavior and reduced susceptibility to social engineering attacks.
Question
Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?
Options
- AEmployee evaluation of the training program
- BInternal assessment of the training program's effectiveness
- CMultiple choice tests to participants
- DManagement control of reviews
How the community answered
(56 responses)- A2% (1)
- B93% (52)
- C4% (2)
- D2% (1)
Why each option
Measuring the success of a security awareness training program requires an internal assessment that objectively evaluates whether the training has changed employee behavior and reduced susceptibility to social engineering attacks.
Employee evaluation of the training program captures participant satisfaction and perceived value, not whether the training actually reduced susceptibility to social engineering threats, making it a measure of opinion rather than effectiveness.
An internal assessment of the training program's effectiveness directly measures real-world outcomes, such as reduced phishing click rates, improved incident reporting, and behavioral changes that indicate whether employees can recognize and resist social engineering attacks. This approach uses metrics like simulated phishing campaigns and security incident trends to provide quantifiable evidence of program success, rather than subjective or theoretical measures.
Multiple choice tests measure knowledge retention of training content but do not assess whether employees can apply that knowledge to identify and resist real-world social engineering attacks in practice.
Management control of reviews is an administrative oversight mechanism that ensures processes are followed, but it does not directly measure behavioral change or the reduction of social engineering risk among employees.
Concept tested: Measuring security awareness training program effectiveness
Source: https://csrc.nist.gov/publications/detail/sp/800-50/final
Topics
Community Discussion
No community discussion yet for this question.