Certified Information Security Manager (CISM) — Question 1016

Which of the following is the MOST appropriate metric to demonstrate the effectiveness of information security controls to senior management?

Answer options

• A. Number of security vulnerabilities uncovered with network scans
• B. Percentage of servers patched
• C. Downtime due to malware infections
• D. Annualized loss resulting from security incidents

Correct answer: D

Explanation

The most suitable metric is D, as it quantifies the financial implications of security incidents, providing clear insights into the effectiveness of security controls. Options A, B, and C focus on technical aspects or operational issues, which do not directly reflect the overall impact of information security measures on the organization’s finances.