Certified Information Systems Auditor (CISA) — Question 1188

Which of the following BEST enables an organization to determine the effectiveness of its information security awareness program?

Answer options

• A. Measuring user satisfaction with the quality of the training
• B. Evaluating the results of a social engineering exercise
• C. Reviewing security staff performance evaluations
• D. Performing an analysis of the number of help desk calls

Correct answer: B

Explanation

The correct answer, B, focuses on evaluating the results of a social engineering exercise, which directly tests the effectiveness of the awareness program by simulating real-world attacks. The other options, while useful, do not provide direct insights into the actual security awareness of users in a practical scenario.