Final answer:
An increase in the reporting of security incidents by employees is the most indicative element of an effective information security awareness program. It shows both awareness and engagement with security policies, more so than policy signing, session attendance, or job description inclusion.
Step-by-step explanation:
The effectiveness of an information security awareness program is best indicated by an increase in the reporting of security incidents by employees. This suggests not only awareness but also practical engagement with the security policies. Signing the information security policy (option b) reflects compliance but not necessarily active participation or understanding. Attendance at awareness sessions (option c) indicates exposure to information but does not guarantee that the information has been absorbed or will be acted upon. Lastly, while including information security responsibilities in job descriptions (option d) sets expectations, it does not measure the practical application of security principles on a day-to-day basis.
In studies such as the one conducted by Bruno & Abrahão (2012), we see the importance of human factors, such as cognitive load, on the effectiveness of security decision-making. Moreover, the massive data breach experienced by Target in 2013 emphasizes the need for effective interpretation of security alerts, which is an outcome of a robust awareness program. Therefore, the most indicative factor of an effective awareness program is the active reporting of incidents (option a), as this reflects a workforce that is not only aware but also vigilant and responsive to potential security threats.