Certified Information Systems Auditor (CISA) — Question 314
Which of the following would BEST indicate the effectiveness of a security awareness training program?
Answer options
- A. Employee satisfaction with training
- B. Reduced unintentional violations
- C. Results of third-party social engineering tests
- D. Increased number of employees completing training
Correct answer: C
Explanation
The correct answer is C, as the results of third-party social engineering tests provide direct evidence of how well employees can apply their training in real-world scenarios. While reduced unintentional violations (B) and employee satisfaction (A) are useful indicators, they do not measure the actual effectiveness of the training as directly as the outcomes of social engineering tests. Increased completion rates (D) also do not reflect the quality of understanding or application of the training material.