ExamGecko
Question list
Search
Search

Related questions











Question 300 - CISA discussion

Report
Export

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

A.
Staff members who failed the test did not receive follow-up education
Answers
A.
Staff members who failed the test did not receive follow-up education
B.
Test results were not communicated to staff members.
Answers
B.
Test results were not communicated to staff members.
C.
Staff members were not notified about the test beforehand.
Answers
C.
Staff members were not notified about the test beforehand.
D.
Security awareness training was not provided prior to the test.
Answers
D.
Security awareness training was not provided prior to the test.
Suggested answer: A

Explanation:

The IS auditor should be most concerned about the lack of follow-up education for staff members who failed the phishing simulation test. Phishing simulation tests are designed to assess the level of awareness and susceptibility of staff members to phishing attacks, and to provide feedback and training to improve their security behavior. If staff members who failed the test do not receive follow-up education, they will not learn from their mistakes and may continue to fall victim to real phishing attacks, which could compromise the security of the organization.

The other options are less concerning for the IS auditor:

Test results were not communicated to staff members. This is not ideal, as staff members should receive feedback on their performance and learn from the test results. However, this does not necessarily mean that they did not receive any training or education on how to avoid phishing attacks.

Staff members were not notified about the test beforehand. This is a common practice for phishing simulation tests, as it mimics the real-world scenario where staff members do not know when they will receive a phishing email. The purpose of the test is to measure their spontaneous reaction and awareness, not their preparedness or compliance.

Security awareness training was not provided prior to the test. This is not a major concern, as the test can serve as a baseline measurement of the current level of awareness and susceptibility of staff members, and as a starting point for providing tailored training and education based on the test results.

asked 18/09/2024
Mark Churly
31 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first