Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam CISM All Questions

View all questions & answers for the CISM exam

Exam CISM topic 1 question 5 discussion

Actual exam question from Isaca's CISM
Question #: 5
Topic #: 1
[All CISM Questions]

Which of the following is the BEST way to build a risk-aware culture?

  • A. Periodically change risk awareness messages.
  • B. Ensure that threats are communicated organization-wide in a timely manner.
  • C. Periodically test compliance with security controls and post results.
  • D. Establish incentives and a channel for staff to report risks.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
CISSPST
Highly Voted 3 weeks, 3 days ago
According to ISACA REVIEW MANUAL, "Building a security-aware (in other words, risk-aware) culture depends on individuals in their respective roles performing their jobs in a way that protects information assets." (Page 31, 1.2 Organizational Culture). While rewards and incentives will MOTIVATE individuals to fulfill the responsibilities associated with their job-role, the CONSEQUENCES OF NON-COMPLIANCE (a low performance rating or getting fired) when reported to management will be a more COMPELLING FACTOR. Punishment trumps rewards. Consequently, employees are more likely to participate in awareness trainings and conform to organizational policies such as AUP (including use of security controls) so they do not over-step the organizational policies accidentally or intentionally. Therefore, 'Periodically test compliance with security controls and post results (a form of reporting)', is the most likely answer.
upvoted 13 times
...
TTH1019
Most Recent 2 weeks, 6 days ago
Selected Answer: D
D: "Establish incentives and a channel for staff to report risks," is the most effective approach for fostering a risk-aware culture within an organization. By establishing incentives, such as rewards or recognition, for employees to report risks, it encourages them to actively engage in identifying and communicating potential threats and vulnerabilities
upvoted 3 times
...
Viperhunter
2 weeks, 6 days ago
Selected Answer: D
Establishing incentives and a channel for staff to report risks encourages a proactive approach to risk awareness. When employees feel motivated to identify and report risks, it fosters a culture where individuals are actively engaged in risk management. Creating a supportive reporting environment, coupled with incentives, helps organizations identify potential threats and vulnerabilities more effectively. While periodically changing risk awareness messages (option A), ensuring that threats are communicated organization-wide (option B), and periodically testing compliance with security controls (option C) are valuable activities, establishing incentives and an open reporting channel directly involves and empowers employees in the risk-awareness process.
upvoted 1 times
...
dark_3k03r
2 weeks, 6 days ago
Selected Answer: D
According to CISM all in one the way to build a security culture is to: - involve personnel in discussions - lead by example - have security responsibilities in job description - include security factors in compensation - link protection to long-term org success - integrate messages - incorporate "secure by design" into the business process - Reward and recognize desired behavior and punish undesired behavior. The only one that matches these are D and B sort of. Given that one is definitive and the other is a sort of answer... I'd go with the definitive answer.
upvoted 2 times
...
vavofa5697
3 weeks, 3 days ago
Selected Answer: D
My opinion: D is the answer. Encouraging staff to identify and report potential risks can help to create a culture where security is valued and prioritized. When staff feels valued and empowered to contribute to the organization's security posture, they are more likely to be engaged and proactive in identifying and mitigating risks.
upvoted 1 times
...
RagazzoAlex
3 months ago
Selected Answer: B
awareness should start with communication. How we are expecting from the users to participate without communicating with them first
upvoted 1 times
...
oluchecpoint
1 year, 1 month ago
D. Establish incentives and a channel for staff to report risks. This approach encourages employees to actively identify and report risks or potential issues they encounter, creating a more proactive and responsive risk-aware culture.
upvoted 1 times
...
peelu
1 year, 4 months ago
Selected Answer: D
D. Establish incentives and a channel for staff to report risks.
upvoted 1 times
...
richck102
1 year, 5 months ago
D. Establish incentives and a channel for staff to report risks.
upvoted 1 times
...
BevMe
1 year, 6 months ago
Selected Answer: D
By encouraging employees to speak up, organizations can create an environment where security issues are more likely to be identified and addressed in a timely manner, while also fostering a sense of ownership and accountability among employees.
upvoted 1 times
...
Vangelis_1980
1 year, 6 months ago
Selected Answer: D
I think D is the correct answer because business employees don't care about results and it Security Manager's job to encourage reporting
upvoted 1 times
...
Mauro4
1 year, 6 months ago
People -> Process -> Technology
upvoted 1 times
...
Starfive
1 year, 7 months ago
Selected Answer: D
change the culture awareness D
upvoted 1 times
...
ccKane
1 year, 8 months ago
Establishing incentives and a channel for staff to report risks is the best way to build a risk-aware culture because it encourages employees to be proactive in identifying potential risks. When employees feel that their input is valued and that reporting risks will be rewarded, they are more likely to actively seek out and report risks. This helps to ensure that risks are identified and addressed in a timely manner, reducing the likelihood of negative impacts to the organization. Additionally, creating a culture in which reporting risks is encouraged helps to foster a culture of trust and transparency, which is essential for effective risk management.
upvoted 1 times
...
imsohoar
1 year, 9 months ago
Selected Answer: D
if you want to breed a more security aware culture you should focus on the people instead of posting results. give the employees and incentive to report security gaps. i think D is right
upvoted 2 times
...
mfourati
1 year, 10 months ago
Security wise I don't think it is a good idea to publish any non conformity to existing controls because that itself could be a vulnerability therefore , vote the answer D
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...