The keyword in this question isāvalidateāorganizational awareness. We are not just trying toimproveawareness but tomeasure how effectivecurrent awareness really is.
CRISC-aligned guidance on awareness and monitoring emphasizes that:
Security awareness programs must bemeasuredfor effectiveness (e.g., changes in behavior, reporting, incident statistics).
Simulated social-engineering or phishing campaigns are a direct way totestwhether employees recognize and handle actual attack patterns.
The MOST effective way to improve and measure security awareness after phishing incidents is to perform periodic social engineering tests and communicate the results to staff.
Phishing simulations:
Provideobjective metrics: click rates, credential submission rates, reporting rates.
Directly test awareness in real-life-like conditions.
Highlight high-risk groups or departments.
Support targeted follow-up training and reporting to management.
Why the other options are less effective forvalidation:
A. Requiring two-factor authenticationimproves technical security but does not demonstrate whether users understand broader cyber risk.
B. Conducting security awareness trainingis aninputactivity; by itself, it does not show whether staff actually learned or changed behavior.
D. Updating the information security policyprovides documented rules but does not validate whether people read, understand, or follow them.
Thus,implementing phishing simulationsis the MOST effective method tovalidate(test and evidence) organizational awareness of cybersecurity risk, consistent with CRISC guidance on using simulated attacks and metrics to assess awareness-program effectiveness.
