Certified in the Governance of Enterprise IT (CGEIT) — Question 261

An IT audit report indicates that a lack of IT employee risk awareness is creating serious security issues in application design and configuration. Which of the following would be the BEST key risk indicator (KRI) to show progress in IT employee behavior?

Answer options

• A. Results of application security testing
• B. Results of application security awareness training quizzes
• C. Number of reported security incidents
• D. Number of IT employees attending security training sessions

Correct answer: C

Explanation

The correct answer, C, indicates the number of reported security incidents, which directly reflects the effectiveness of IT employee risk awareness. Options A and B focus on testing and training assessment results, which do not measure actual behavior changes, while D tracks attendance rather than the impact of training on security incidents.