Exam CISM topic 1 question 312 discussion

think C

OMG so many tools relying on ChatGPT and Bard to give them answers to easy questions that require only logical thinking. If there are more phishing attempts reported, that would mean that users are more aware of them and are able to recognize them. Meaning the training worked. On the other hand, "no reported SUCCESSFUL phishing attempts" could mean a lot of things - a coincidence, people aren't reading emails, or worse - someone fell for the phishing attempt but haven't reported it or there was no one to report it. In short - it's C.

A: "There have been no reported successful phishing attempts since the training started." Option A demonstrates that the training has successfully reduced the occurrence of successful phishing attempts, which is a primary goal of security awareness programs. It directly measures the program's impact on a critical security risk, making it the most reliable indicator of effectiveness. Options B, C, and D do not directly measure the effectiveness of the program in reducing security risks

It’s C for sure

This is about awareness. The fact more are reporting attempts proves that staff are more aware of the threat

C. There has been an increase in the number of phishing attempts reported.

B. ..........Training improves awareness, but it may not be the best indicator that the awareness program has been successful. It's like 'I have attended a CISM course, but for my employer to be assured of my knowledge, my learning has to be tested'. Potential/actual incidents are the true test of an organization's awareness levels. A. ........What if my account has been compromised and I do not know it, or I just don't report it because I am afraid of the repercussions. Afterall, I could have given away sensitive information to an attacker despite all the awareness training! D. ...... Again, this only ensures that awareness initiative has been implemented. You can't say how successful the initiative has been until it is tested. C. ....... The fact that users could identify phishing attempts, and had the good sense to report them, thus preempting the attacks, provides evidence of a high level of awareness.

I pick A also because the reason of people is well-trained to look out for more phishing attempts and eliminate them at their level without pushing them forward to the next level.

A for sure

Option A provides the BEST evidence that a newly implemented security awareness program has been effective. A decrease in reported successful phishing attempts after training indicates that employees have become more aware of phishing attacks and how to prevent them, which is the ultimate goal of the awareness program. Option B indicates completion of the training, but it does not provide evidence of its effectiveness. Option C indicates an increase in reported phishing attempts, which may indicate that employees are more aware and vigilant, but it could also indicate that the organization is now a more attractive target. Option D indicates support from senior management, but it does not provide evidence of the program's effectiveness.