The best indicator of an effective IT security awareness program is the decreased success rate of internal phishing tests. Phishing is a type of social engineering attack that attempts to trick the users into revealing their personal or confidential information, or clicking on malicious links or attachments, by impersonating a legitimate entity or person. Internal phishing tests are simulated phishing attacks that are conducted by the enterprise to test the awareness and behavior of the employees in response to phishing emails. A decreased success rate of internal phishing tests means that fewer employees fall victim to the phishing attempts, and that they are more aware and vigilant of the phishing threats and techniques. A decreased success rate of internal phishing tests also implies that the IT security awareness program has effectively educated and trained the employees on how to recognize and report phishing emails, and how to protect themselves and the enterprise from phishing attacks. A decreased number of reported security incidents, a number of disciplinary actions issued for security violations, and a number of employees that complete security training are not as good indicators of an effective IT security awareness program as a decreased success rate of internal phishing tests, as they do not directly measure the awareness and behavior of the employees in relation to phishing, and may be influenced by other factors such as reporting mechanisms, enforcement policies, and training availability. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 220.

Explanation/Reference:
Explanation:
As new threats are identified and prioritized in terms of impact, the first step is to evaluate the ability of existing controls to mitigate risk associated with new threats and if it does not work then in that case facilitate the:
Modification of the technical architecture

Deployment of a threat-specific countermeasure

Implementation of a compensating mechanism or process until mitigating controls are developed

Education of staff or business partners

Incorrect Answers:
D: Applying more controls is not the good solution. They usually complicate the condition.

Explanation/Reference:
Explanation:
Each business process involves inherent risk. Not engaging in any activity avoids the inherent risk associated with the activity. Hence this demonstrates risk avoidance.
Incorrect Answers:
B: Risk treatment means that action is taken to reduce the frequency and impact of a risk.
C: Acceptance means that no action is taken relative to a particular risk, and loss is accepted when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed decision has been made by management to accept it as such.
D: Risk transfer/sharing means reducing either risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing. These techniques do not relieve an enterprise of a risk, but can involve the skills of another party in managing the risk and reducing the financial consequence if an adverse event occurs.