Certified Information Security Manager (CISM) — Question 1214

Which of the following metrics provides the BEST measurement of the effectiveness of a security awareness program?

Answer options

• A. Variance of program cost to allocated budget
• B. The number of security breaches
• C. Mean time between incident detection and remediation
• D. The number of reported security incidents

Correct answer: D

Explanation

The number of reported security incidents (D) directly reflects how well employees understand and apply security practices, indicating the program's effectiveness. While security breaches (B) and incident detection to remediation time (C) are important, they do not provide as direct an assessment of awareness as reported incidents. The variance of program cost to budget (A) does not measure awareness at all.