Certified in Risk and Information Systems Control (CRISC) — Question 55

Which of the following is the BEST indicator of an effective IT security awareness program?

Answer options

• A. Decreased success rate of internal phishing tests
• B. Number of employees that complete security training
• C. Number of disciplinary actions issued for security violations
• D. Decreased number of reported security incidents

Correct answer: A

Explanation

The best indicator of an effective IT security awareness program is the decreased success rate of internal phishing tests, as it directly reflects employees' ability to recognize and respond to phishing attempts. While the number of employees completing training and disciplinary actions are important, they do not necessarily correlate to improved real-world security practices. A decrease in reported security incidents may indicate better security but does not directly measure awareness effectiveness.