Company leadership believes employees are experiencing an increased number of cyber attacks; however, the metrics do not show this. Currently, the company uses “Number of successful phishing attacks” as a KRI, but it does not show an increase.
Which of the following additional information should be the Chief Information Security Officer (CISO) include in the report?
A . The ratio of phishing emails to non-phishing emails
B . The number of phishing attacks per employee
C . The number of unsuccessful phishing attacks
D . The percent of successful phishing attacks
Answer: D