Certified Information Systems Security Professional (CISSP) — Question 52

What is the PRIMARY purpose of creating and reporting metrics for a security awareness, training, and education program?

Answer options

• A. Measure the effect of the program on the organization's workforce.
• B. Make all stakeholders aware of the program's progress.
• C. Facilitate supervision of periodic training events.
• D. Comply with legal regulations and document due diligence in security practices.

Correct answer: A

Explanation

The correct answer is A because the primary aim of metrics is to evaluate how effectively the program impacts the workforce's security awareness. While B, C, and D are important aspects of program management, they do not capture the essential purpose of measuring the program's impact on personnel.