During an audit of an organization's information security programme, the IS auditor finds that the security awareness training completion rate is 95% but phishing simulation tests show a 30% failure rate. What should the auditor recommend?
Improving the content to be more practical and scenario-based can lead to better outcomes.
Why this answer
The gap between high training completion and poor phishing test results indicates that the training content is not effective in changing behavior. The auditor should recommend reviewing and improving the training to address weaknesses.