Certified in Risk and Information Systems Control (CRISC) — Question 1235

Which of the following metrics would be MOST helpful to management in understanding the effectiveness of the organization’s security awareness controls?

Answer options

• A. Number of false positive alerts in a given time frame
• B. Number of employees who have not completed training
• C. Number of data exfiltration attempts
• D. Number of malware incidents identified on a system

Correct answer: B

Explanation

The correct answer is B because knowing how many employees have not completed training directly reflects the effectiveness of security awareness initiatives. Options A, C, and D focus on incidents and alerts rather than the training engagement level, which is crucial for assessing awareness control effectiveness.