Certified Information Security Manager (CISM) — Question 990

Which of the following should be the PRIMARY objective for creating a culture of security within an organization?

Answer options

• A. To obtain resources for information security initiatives
• B. To reduce risk to acceptable levels
• C. To prioritize security within the organization
• D. To demonstrate control effectiveness to senior management

Correct answer: B

Explanation

The correct answer is B, as the primary aim of a security culture is to minimize risks to levels that the organization considers acceptable. While A, C, and D are important aspects of security management, they are secondary to the fundamental goal of risk reduction.