Certified Information Security Manager (CISM) — Question 1080

Which of the following metrics BEST demonstrates the effectiveness of an organization's security awareness program?

Answer options

• A. Percentage of employee computers and devices infected with malware
• B. Percentage of employees who regularly attend security training
• C. Number of security incidents reported to the help desk
• D. Number of phishing emails viewed by end users

Correct answer: C

Explanation

The correct answer, C, is effective because it reflects the organization's ability to recognize and report security threats, indicating awareness. Options A and D are less relevant as they measure issues rather than awareness, while B, although important, does not directly correlate to the outcomes of the training provided.