Exam CISM topic 1 question 5 discussion

According to ISACA REVIEW MANUAL, "Building a security-aware (in other words, risk-aware) culture depends on individuals in their respective roles performing their jobs in a way that protects information assets." (Page 31, 1.2 Organizational Culture). While rewards and incentives will MOTIVATE individuals to fulfill the responsibilities associated with their job-role, the CONSEQUENCES OF NON-COMPLIANCE (a low performance rating or getting fired) when reported to management will be a more COMPELLING FACTOR. Punishment trumps rewards. Consequently, employees are more likely to participate in awareness trainings and conform to organizational policies such as AUP (including use of security controls) so they do not over-step the organizational policies accidentally or intentionally. Therefore, 'Periodically test compliance with security controls and post results (a form of reporting)', is the most likely answer.

D: "Establish incentives and a channel for staff to report risks," is the most effective approach for fostering a risk-aware culture within an organization. By establishing incentives, such as rewards or recognition, for employees to report risks, it encourages them to actively engage in identifying and communicating potential threats and vulnerabilities

Establishing incentives and a channel for staff to report risks encourages a proactive approach to risk awareness. When employees feel motivated to identify and report risks, it fosters a culture where individuals are actively engaged in risk management. Creating a supportive reporting environment, coupled with incentives, helps organizations identify potential threats and vulnerabilities more effectively. While periodically changing risk awareness messages (option A), ensuring that threats are communicated organization-wide (option B), and periodically testing compliance with security controls (option C) are valuable activities, establishing incentives and an open reporting channel directly involves and empowers employees in the risk-awareness process.

According to CISM all in one the way to build a security culture is to: - involve personnel in discussions - lead by example - have security responsibilities in job description - include security factors in compensation - link protection to long-term org success - integrate messages - incorporate "secure by design" into the business process - Reward and recognize desired behavior and punish undesired behavior. The only one that matches these are D and B sort of. Given that one is definitive and the other is a sort of answer... I'd go with the definitive answer.

My opinion: D is the answer. Encouraging staff to identify and report potential risks can help to create a culture where security is valued and prioritized. When staff feels valued and empowered to contribute to the organization's security posture, they are more likely to be engaged and proactive in identifying and mitigating risks.

awareness should start with communication. How we are expecting from the users to participate without communicating with them first

D. Establish incentives and a channel for staff to report risks. This approach encourages employees to actively identify and report risks or potential issues they encounter, creating a more proactive and responsive risk-aware culture.

D. Establish incentives and a channel for staff to report risks.

D. Establish incentives and a channel for staff to report risks.

By encouraging employees to speak up, organizations can create an environment where security issues are more likely to be identified and addressed in a timely manner, while also fostering a sense of ownership and accountability among employees.

I think D is the correct answer because business employees don't care about results and it Security Manager's job to encourage reporting

People -> Process -> Technology

change the culture awareness D

Establishing incentives and a channel for staff to report risks is the best way to build a risk-aware culture because it encourages employees to be proactive in identifying potential risks. When employees feel that their input is valued and that reporting risks will be rewarded, they are more likely to actively seek out and report risks. This helps to ensure that risks are identified and addressed in a timely manner, reducing the likelihood of negative impacts to the organization. Additionally, creating a culture in which reporting risks is encouraged helps to foster a culture of trust and transparency, which is essential for effective risk management.

if you want to breed a more security aware culture you should focus on the people instead of posting results. give the employees and incentive to report security gaps. i think D is right

Security wise I don't think it is a good idea to publish any non conformity to existing controls because that itself could be a vulnerability therefore , vote the answer D