Which of the following is the BEST performance criterion for evaluating the adequacy of an
organization’s security awareness training?

A.
Senior management is aware of critical information assets and demonstrates an adequate
concern for their protection.

B.
Job descriptions contain clear statements of accountability for information security.

C.
In accordance with the degree of risk and business impact, there is adequate funding for security
efforts.

D.
No actual incidents have occurred that have caused a loss or a public embarrassment.

Explanation:
Inclusion in job descriptions of security responsibilities is a form of security training and helps ensure
that staff and management are aware of their roles with respect to information security. The other

three choices are not criterion for evaluating security awareness training. Awareness is a criterion
for evaluating the importance that senior management attaches to information assets and their
protection. Funding is a criterion that aids in evaluating whether security vulnerabilities are being
addressed, while the number of incidents that have occurred is a criterion for evaluating the
adequacy of the risk management program.