which of the following techniques would be most effective in determining whether end-user security training would be beneficial?