1. What is the PRIMARY goal of a security awareness training program?

Explanation:

• ✅ C is correct: The main goal is to foster a culture where stakeholders understand and manage risk appropriately.

• A is incorrect: Compliance is a secondary benefit, not the primary goal.

• B is incorrect: While it may reduce help desk calls, that’s not the main purpose.

• D is incorrect: Training on software use is not the focus of security awareness.

2. Which of the following BEST defines risk appetite?

Explanation:

• ✅ B is correct: Risk appetite is about how much risk the organization is willing to accept.

• A is incorrect: Legal limits are constraints, not appetite.

• C is incorrect: This refers to risk inventory, not appetite.

• D is incorrect: This relates to control effectiveness, not risk appetite.

3. What is the MOST effective way to measure the success of a security awareness program?

Explanation:

• ✅ B is correct: A reduction in incidents shows real behavioral change.

• A and C are activity metrics, not outcome-based.

• D is a method, not a measure of success.

4. Who should be involved in defining an organization’s risk tolerance?

Explanation:

• ✅ C is correct: Risk tolerance must align with business objectives, requiring input from leadership and stakeholders.

• A and B are too narrow.

• D may provide input but should not define it.

5. Which of the following BEST describes control effectiveness?

Explanation:

• ✅ B is correct: Effectiveness is about how well a control mitigates risk.

• A is about cost-efficiency, not effectiveness.

• C is quantity, not quality.

• D is about monitoring, not effectiveness itself.

6. What is the PRIMARY reason to align risk appetite with business objectives?

Explanation:

• ✅ C is correct: Alignment ensures that risk-taking supports business goals.

• A is unrealistic—risks can’t be eliminated.

• B is a benefit, not the primary reason.

• D is unrelated.

7. Which of the following is the BEST indicator that a risk-aware culture is being adopted?

Explanation:

• ✅ B is correct: Proactive behavior shows awareness and engagement.

• A may indicate poor controls.

• C and D are not cultural indicators.

8. What is the BEST approach to evaluate the effectiveness of existing controls?

Explanation:

• ✅ B is correct: Control self-assessments help determine if controls are working as intended.

• A is for impact, not control evaluation.

• C is unrelated.

• D may not improve effectiveness.