Question 21
UnclassifiedWhich objective is best to measure the effectiveness of password policy?
Correct answer: D
Explanation
A password policy is effective when it is enforced at the point of creation, so newly created account credentials must satisfy the required complexity, length, and reuse rules. Measuring whether new accounts meet those requirements directly shows the policy is being applied, unlike broader outcomes that may be influenced by user behavior or legacy accounts.
Why each option is right or wrong
A. The number of related incidents decreases.
B. Attempts to log with weak credentials increases.
C. The number of related incidents increases.
D. Newly created account credentials satisfy requirements.
Under common password-policy controls, the enforceable test is at credential creation or change, where the system must validate minimum length, complexity, and reuse restrictions before the account is activated. Measuring whether newly created account credentials meet those requirements directly checks compliance with the policy at the control point; broader metrics such as breach rates or user complaints do not prove the policy is being applied to each new account.