Following a recent network intrusion, a company wants to determine the current security awareness of all of its employees. Which of the following is the BEST way to test awareness?
A.
Conduct a series of security training events with comprehensive tests at the end
B.
Hire an external company to provide an independent audit of the network security posture
C.
Review the social media of all employees to see how much proprietary information is shared
D.
Send an email from a corporate account, requesting users to log onto a website with their enterprise account
Maybe B. Hire an external company to provide an independent audit of the network security posture ?
Employee awareness is part of the network security posture; but that seems like overkill. However, this is a reasonable answer, given the poor choices available.
Answer is D. Firstly, answer A wouldnt assess the companys current awareness if you are training them first. Also, for D, phishing campaigns are something most companys do very regularly in the real world as a an easy way to assess awareness.
Good points. But, a phishing campaign would only test one area of employee security awareness. It would only test whether employees know better than to click on insecure link. There are *many* other aspects of employee security awareness. For example: what about phone calls from a social engineering scam? Or what a social engineering attack where the attacker dresses as a copier technician. What about what can be posted to social media? There are many other things to test besides phishing awareness.
The only reason I wouldn't pick A (Training Event) is if the company wanted to assess their awareness "as it is today" and not "after they've been trained". In that way, pulling a stunt like trying to get them to use their creds incorrectly (Answer D) might be a "gotcha" way to assess them?
You make some good points, I up voted your post.
But D seems to test only one aspect of employee security awareness.
I may re-consider: B. Hire an external company to provide an independent audit of the network security posture
I agree that none of the answers really seem to have anything to do with the question "How should a company assess it's employee's security awareness?" but A is the only one that sort of like even attempts to answer it.
Maybe: A. Conduct a series of security training events with comprehensive tests at the end?
The question asks how to test awareness of the employees, not the network security posture.
I suppose the employee awareness is part of the network security posture; but that seems like overkill. I think A may be a better answer.
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.CAS-003 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
D1960
3 years, 8 months agoDooz
3 years, 8 months agoD1960
3 years, 8 months agod10shivan
3 years, 11 months agoD1960
3 years, 9 months agoTrap_D0_r
4 years, 2 months agoD1960
4 years, 5 months ago