Exam CISSP topic 1 question 100 discussion

Not D (Comply with legal regulations and document due diligence in security practices) - While compliance may be a benefit, the primary purpose of metrics is to ensure the program is working effectively, not just to check a compliance box.

This is the primary purpose of creating and reporting metrics for a security awareness, training, and education program. By measuring the program's effectiveness, organizations can: Demonstrate ROI: Justify the program's existence and secure continued funding. Identify areas for improvement: Pinpoint weaknesses in training content or delivery. Enhance security culture: Foster a culture of security awareness among employees. While the other options are important, they are secondary to the overall goal of measuring the program's impact on the workforce.

I dont see how it is A - how would taking metrics measure the impact the training had already had.

It's A, guaranteed

A. Measure the effect of the program on the organization's workforce. Creating and reporting metrics for a security awareness, training, and education program allows organizations to assess the effectiveness and impact of the program on their workforce By measuring the effect of the program, organizations can determine if their workforce is gaining knowledge, adopting desired behaviors, and applying security practices effectively.

The main point here is "Primary" which makes option A the right answer. Option D is not the primary purpose of creating and reporting metrics. While compliance with legal regulations and documenting due diligence are important, the primary purpose of metrics is to measure the effectiveness of the program in changing the behavior of the workforce.

Remember its creating and reporting - only D works with creating ...

A sounds good

A sound correct

Yep "A" sounds like a PRIMARY reason