Certified Information Security Manager (CISM) — Question 1234

Which of the following has the MOST influence on the information security investment process?

Answer options

• A. Security key performance indicators (KPIs)
• B. Organizational risk appetite
• C. IT governance framework
• D. Information security policy

Correct answer: B

Explanation

The organizational risk appetite determines how much risk the organization is willing to accept, which directly influences its investment decisions in information security. While security KPIs, IT governance frameworks, and information security policies are important, they are often shaped by the organization's risk appetite, making it the most significant factor in the investment process.