Certified Information Systems Auditor (CISA) — Question 793

The MOST important measure of the effectiveness of an organization's security program is the:

Answer options

• A. comparison with critical incidents experienced by competitors.
• B. adverse impact of incidents on critical business activities.
• C. number of vulnerability alerts escalated to senior management.
• D. number of new vulnerabilities reported.

Correct answer: B

Explanation

The correct answer, B, focuses on the adverse effects that security incidents have on critical business operations, which is a direct measure of security effectiveness. In contrast, A, C, and D measure indirect factors that do not directly reflect the security program's impact on the organization’s ability to maintain its core functions.