Certified Information Security Manager (CISM) — Question 40

Which of the following is the BEST way to build a risk-aware culture?

Answer options

• A. Periodically change risk awareness messages.
• B. Ensure that threats are communicated organization-wide in a timely manner.
• C. Periodically test compliance with security controls and post results.
• D. Establish incentives and a channel for staff to report risks.

Correct answer: D

Explanation

Establishing incentives and a reporting channel for staff to communicate risks fosters an open environment where employees feel valued for their input on risk management. While the other options may contribute to risk awareness, they do not directly empower employees to take action and report risks, which is crucial for a proactive risk-aware culture.