Certified Information Security Manager (CISM) — Question 1013

An organization implemented a number of technical and administrative controls to mitigate risk associated with ransomware. Which of the following is MOST important to present to senior management when reporting on the performance of this initiative?

Answer options

• A. The number and severity of ransomware incidents
• B. The total cost of the investment
• C. Benchmarks of industry peers impacted by ransomware
• D. The cost and associated risk reduction

Correct answer: D

Explanation

The correct answer, D, is vital because it clearly illustrates the financial investment in relation to the reduction of risk, showing the effectiveness of the initiative. Options A and C focus on incidents and peer comparisons, which do not directly reflect the success of the controls implemented. Option B, while informative about costs, does not convey the effectiveness of the risk mitigation efforts.