Certified in Risk and Information Systems Control (CRISC) — Question 1094

Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Answer options

• A. The program has not decreased threat counts.
• B. The program uses non-customized training modules.
• C. The program has not considered business impact.
• D. The program has been significantly revised.

Correct answer: C

Explanation

The correct answer, C, indicates a serious oversight, as not considering business impact can lead to vulnerabilities that affect the organization's overall risk posture. A does not necessarily signal a failure of the program, while B suggests a lack of personalization but not critical failure, and D points to improvements rather than issues.