Exam CISSP topic 1 question 107 discussion

Its B not C

You have to wonder who/how ExamTopics answering these questions! It appears they didn’t even do simple research for providing answers.

It's a tricky QUESTION, but the answer is B.

Answer B) More... If users are more aware, then they should be reporting MORE instances of phishing attempts.

C. Fewer incidents of phishing attempts are being reported. For those selecting B, you are mistaken. I understand your logic, you're thinking that employees will report more phishing attemps when they are more away but your approach of looking at it is flawed. When an awareness program is effective, employees will have fewer security incidents. There is a difference between a security event and a security incident. An incident usually means that the phishing event was successful and as such an incident that needs to be contained or mitigated. C. is the correct answer because fewer incidents will be reported because the phishing attempt events will not be successful to become incidents. I hope this makes sense to you. You have to be able to distinguish between a phishing event and a phishing incident. There is a difference between an event and an incident. Not all security events are incidents.

B. This is the goal of phishing awareness program.

B is correct The objective of awareness training is to change user behavior and if the number of phising incident that have reported is increased means that the awareness program has succeeded

Here most of the people have misunderstood the word Incident and have voted for C. According to NIST, an Incident is An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Simply, a security incident is an event that may indicate that an organization's systems or data have been compromised. So fewer incidents of phishing attempts are being reported means that the awareness training are success.

More aware means being able to identify and report.

C. Fewer incidents of phishing attempts are being reported. An effective security awareness training module should lead to a decrease in successful phishing attempts, as users become more vigilant and cautious about identifying and reporting phishing attempts.

I go with B. After users awareness they are to be more vigilant and report more incidents. Whether those incidents are true or not it is a different story, but the fact they are more suspicious and they would report more incidents.

The incident is the keywords. Fewer incident means successful phishing reduced.

C. Fewer incidents of phishing attempts are being reported.

Sure seems like B. I get these phishing emails at work and click on "report phishing". Although, I now just ignore them since it's obvious to me this is phishing. My employer doesn't care though, but others take the report very seriously and can terminate you if you ignore. So this question actually has both B and C as answers, depending on the situation.

C is correct. It's all about wording. "fishing attempts" leads us to answer B. But the scenario does not state if these attempts were successful or not. The word "incident" is the key. An incident indicates that the security event "fishing attempt" already had an negative effect on the organization - the fishing attempt was successful. This is why a successful awareness campaign should lead to FEWER incidents.

It would be C ,Since ,it is effective result

C. Correct answer Fewer incidents of phishing attempts are being reported is an indicator that a company's new user security awareness training module has been effective. This suggests that the employees are becoming more aware of phishing attempts and are therefore less likely to fall for them.