Question

Company leadership believes employees are experiencing an increased number of cyber attacks; however, the metrics do not show this. Currently, the company uses ג€Number of successful phishing attacksג€ as a KRI, but it does not show an increase.

Which of the following additional information should be the Chief Information Security Officer (CISO) include in the report?

A. The ratio of phishing emails to non-phishing emails
B. The number of phishing attacks per employee
C. The number of unsuccessful phishing attacks
D. The percent of successful phishing attacks

Answer 1

To gain a better understanding of the cyber attack situation, the CISO should include the number of unsuccessful phishing attacks in the report. This data, along with the ratio of phishing to non-phishing emails, the number of attacks per employee, and the percentage of successful attacks, will offer a more complete picture of security status. Therefore, the correct option is C. The number of unsuccessful phishing attacks.

Step-by-step explanation:

When Company leadership suspects an increase in cyber attacks but metrics such as the 'Number of successful phishing attacks' do not corroborate this belief, the Chief Information Security Officer (CISO) should look for other indicators that might provide a clearer picture of the situation. Including additional information such as the number of unsuccessful phishing attacks, can help in understanding the full scope of phishing attempts and the resilience of the company's safeguards. Another valuable metric could be the ratio of phishing emails to non-phishing emails, which gives insight into the volume of phishing attempts received relative to normal traffic.

Moreover, understanding the number of phishing attacks per employee could reveal targeted patterns or potential vulnerabilities among specific groups within the company. Lastly, calculating the percent of successful phishing attacks in comparison to the total number of attacks would enable the CISO to track the effectiveness of the attackers and the susceptibility of the company's defenses over time. In conclusion, the correct answer that the CISO should include in the report to provide additional insights into the company's cyber security status is Option C: The number of unsuccessful phishing attacks. This data, along with other suggested metrics, would give a more comprehensive understanding of the phishing threat landscape confronting the company.

Answer 2

The CISO should include metrics like the number of unsuccessful phishing attacks, the ratio of phishing to non-phishing emails, and the number of phishing attacks per employee. This will give a more complete picture of cyber threats. The percent of successful attacks relative to total attempts also provides insight into the current cybersecurity effectiveness.

Step-by-step explanation:

The Chief Information Security Officer (CISO) should consider including additional metrics to gain a more comprehensive understanding of the cybersecurity threats the company is facing. The current Key Risk Indicator (KRI) of 'Number of successful phishing attacks' may not fully capture the scope of the issue. Three useful additional metrics could be:

• The number of unsuccessful phishing attacks: This information would reveal the actual volume of phishing attempts, indicating the level of threat activity even when those attempts are not successful.
• The ratio of phishing emails to non-phishing emails: Understanding this ratio can provide insights into how targeted the company is in relation to normal email traffic.
• The number of phishing attacks per employee: This metric can help the CISO understand if certain departments or individuals are being targeted more frequently, allowing for a more focused training and prevention effort.

Additionally, the CISO may want to report on the percent of successful phishing attacks relative to the total number of attacks. This percentage can provide a measure of the effectiveness of the current cybersecurity measures in place.

Including these additional metrics in the report could provide a broader picture of the cyber threats and help the company to better understand and manage the risks. Information from studies that focus on human factors, such as cognitive effort and decision accuracy, could also be relevant for interpreting these metrics and for designing more effective strategies to combat cyber threats.