Certified Information Security Manager (CISM) — Question 467

Which of the following provides the BEST evidence that a newly implemented security awareness program has been effective?

Answer options

• A. There have been no reported successful phishing attempts since the training started.
• B. Employees from each department have completed the required training.
• C. There has been an increase in the number of phishing attempts reported.
• D. Senior management supports funding for ongoing awareness training.

Correct answer: C

Explanation

The correct answer is C because an increase in reported phishing attempts indicates that employees are more aware and vigilant, leading to more incidents being recognized and reported. Option A suggests no success in phishing, which does not measure awareness effectiveness. Option B only shows completion of training, not its impact. Option D reflects management support but does not demonstrate the program's efficacy.