Certified in Risk and Information Systems Control (CRISC) — Question 1263

Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?

Answer options

• A. Reviewing password change history
• B. Reviewing the results of security awareness surveys
• C. Conducting social engineering exercises
• D. Performing periodic access recertifications

Correct answer: C

Explanation

Conducting social engineering exercises (C) directly tests how employees respond to manipulative tactics, revealing vulnerabilities. While reviewing password change history (A), security awareness surveys (B), and access recertifications (D) can provide insights, they do not actively simulate the human element of security threats like social engineering does.