Certified Information Systems Auditor (CISA) — Question 421

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward to those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

Answer options

• A. The number of users forwarding the email to their business unit managers
• B. The number of users clicking on the link to learn more about the sender of the email
• C. The number of users reporting receipt of the email to the information security team
• D. The number of users deleting the email without reporting because it is a phishing email

Correct answer: C

Explanation

The correct option is C because reporting the email to the information security team demonstrates that users recognized the potential threat and acted responsibly. Options A and B do not indicate awareness of security risks; instead, they show engagement with the email. Option D, while showing some level of awareness, does not include reporting, which is crucial for improving security measures.