Certified in Risk and Information Systems Control (CRISC) — Question 856

Which of the following is the MOST important goal of a security awareness program?

Answer options

• A. To enforce consequences related to the organization's security policy
• B. To reduce costs associated with security incidents
• C. To strengthen the security culture by changing user behavior
• D. To strengthen control performance related to regulatory requirements

Correct answer: C

Explanation

The correct answer is C because the primary aim of a security awareness program is to foster a culture of security by influencing users' behavior towards safer practices. Options A, B, and D focus on consequences, cost reduction, and regulatory compliance, which are important but secondary to the overarching goal of changing user behavior for better security.