The correct answer is B because a security-aware culture encourages employees, managers, and stakeholders to consistently apply secure behaviors in daily operations. Effective security practices are adopted throughout an organization when people understand their responsibilities, recognize threats, and view security as part of business operations. Business continuity measures are important for resilience, but they do not broadly drive day-to-day adoption of security practices. The latest security technologies may improve technical protection, but technology alone cannot ensure people follow secure processes. Information security metrics help monitor and report performance, but they do not by themselves create behavioral adoption. CISM emphasizes that information security governance depends on culture, leadership, communication, awareness, and accountability. A security-aware culture supports compliance with policies, timely reporting of incidents, protection of information assets, and consistent risk-based decision-making. Therefore, among the available choices, a security-aware culture best supports effective organization-wide adoption of information security practices.
[Reference: CISM Information Security Governance; security culture, awareness, communication, and organizational adoption principles., , ]
Submit