CompTIA CASP+ (CAS-003) — Question 177

Company leadership believes employees are experiencing an increased number of cyber attacks; however, the metrics do not show this. Currently, the company uses `Number of successful phishing attacks` as a KRI, but it does not show an increase.
Which of the following additional information should be the Chief Information Security Officer (CISO) include in the report?

Answer options

• A. The ratio of phishing emails to non-phishing emails
• B. The number of phishing attacks per employee
• C. The number of unsuccessful phishing attacks
• D. The percent of successful phishing attacks

Correct answer: C

Explanation

The correct answer is C, as understanding the number of unsuccessful phishing attacks can provide insight into the effectiveness of the organization's defenses and training. Options A and B do not directly address the leadership's concern about the increased threat level, while option D merely reiterates the existing KRI without adding new insight.