Certified Information Security Manager (CISM) — Question 1076

Which of the following is MOST likely to improve an organization's security culture?

Answer options

• A. Involving stakeholders in security planning
• B. Enforcing penalties for security incidents
• C. Communicating security incidents within the industry
• D. Incentivizing managers based on security metrics

Correct answer: A

Explanation

Involving stakeholders in security planning fosters a sense of ownership and accountability, which is crucial for building a strong security culture. While imposing penalties may deter some behaviors, it does not promote a proactive security mindset. Communicating incidents and incentivizing managers based on metrics can help, but they do not engage the broader organization in a meaningful way like stakeholder involvement does.