Certified in Risk and Information Systems Control (CRISC) — Question 422

Which of the following should be the PRIMARY focus of an IT risk awareness program?

Answer options

• A. Cultivate long-term behavioral change
• B. Demonstrate regulatory compliance
• C. Ensure compliance with the organization's internal policies
• D. Communicate IT risk policy to the participants

Correct answer: A

Explanation

The correct answer is A because the primary goal of an IT risk awareness program is to foster sustainable changes in behavior that enhance security practices. While demonstrating regulatory compliance, ensuring internal policy adherence, and communicating IT risk policies are important, they are secondary to achieving a lasting behavioral shift among participants.