Exam CRISC topic 1 question 1631 discussion

Data exfiltration attempts are a direct indicator of the effectiveness of security awareness controls. If employees are not aware of the risks of clicking on malicious links or sharing sensitive information, they are more likely to fall victim to social engineering attacks and data breaches. A high number of data exfiltration attempts suggests that security awareness controls are not working effectively. While the other options may also provide valuable information, the number of data exfiltration attempts is the most direct and relevant metric for assessing the effectiveness of security awareness controls.

The metric that would be most helpful to management in understanding the effectiveness of the organization’s security awareness controls is: B. Number of employees who have not completed training. This metric directly reflects engagement and compliance with the security awareness program. A lower number of employees who have not completed training indicates higher participation and potentially greater awareness of security practices among staff. This metric helps management assess the reach and uptake of the security awareness program, which is crucial for its effectiveness. Effective security awareness training is a key factor in reducing security incidents, as it equips employees with the knowledge and skills to recognize and respond appropriately to security threats.