The executive board has requested that the CISO define Key Performance Indicators (KPIs) to measure the effectiveness of the security awareness program. Which information would be MOST useful?
A.
Annual number of help desk tickets with the word “security” in them
B.
Total number of employees that reported unsuccessful social engineering attacks
C.
Month-by-month percentages of employees that failed phishing tests
D.
Number of alerts detected by the Security Operations Center
Comprehensive and Detailed Explanation (250–350 words)
===========
The EC-Council CCISO program defines KPIs as metrics that demonstrate performance trends and effectiveness over time. The most useful KPI for a security awareness program is month-by-month phishing failure rates, as this directly measures behavioral improvement.
CCISO materials emphasize that awareness effectiveness is best evaluated by reduced susceptibility to attacks, not activity volume. Help desk tickets (Option A) and SOC alerts (Option D) are indirect and noisy indicators. Reporting attempts (Option B) is useful but does not show failure trends.
Phishing test failure rates provide executives with a clear, trend-based performance indicator, making Option C correct.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit