Certified in Risk and Information Systems Control (CRISC) — Question 281

Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Answer options

• A. Conduct social engineering testing.
• B. Perform a vulnerability assessment.
• C. Audit security awareness training materials.
• D. Administer an end-of-training quiz.

Correct answer: A

Explanation

Conducting social engineering testing directly assesses how well employees can apply their training in real-world scenarios, making it the best measure of effectiveness. While a vulnerability assessment and auditing training materials are useful, they do not provide direct feedback on the employees' understanding and application of the training. An end-of-training quiz can gauge immediate knowledge but may not reflect long-term retention or the application of skills in practice.