Company leadership believes employees are experiencing an increased number of cyber attacks; however, the metrics do not show this.
Currently, the company uses 'Number of successful phishing attacks' as a KRI, but it does not show an increase.
Which of the following additional information should be the Chief Information Security Officer (CISO) include in the report?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The Chief Information Security Officer (CISO) should include option B, "The number of phishing attacks per employee," in the report. This metric will provide a more accurate representation of the level of risk and will help the CISO identify if there has been an increase in attacks.
Option A, "The ratio of phishing emails to non-phishing emails," does not provide any useful information regarding the success of attacks. It only shows the proportion of phishing emails in comparison to non-phishing emails.
Option C, "The number of unsuccessful phishing attacks," is also not a useful metric. It only shows the number of times an attack was not successful, and does not provide any information about the level of risk the company faces.
Option D, "The percent of successful phishing attacks," is related to the current KRI, but it still does not provide a complete picture of the level of risk. It only shows the success rate of the attacks, but not the number of attacks or the number of employees affected.
By measuring the number of phishing attacks per employee, the CISO can get a better understanding of the risk faced by individual employees and the company as a whole. If the number of attacks per employee is increasing, it indicates that employees are becoming more vulnerable to attacks, and additional security measures may be necessary. Additionally, this metric can help the CISO to identify which departments or individuals are at a higher risk and take proactive measures to mitigate the risk.