Certified Information Security Manager (CISM) — Question 332

Which of the following metrics BEST measures the effectiveness of an organization’s information security program?

Answer options

• A. Return on information security investment
• B. Number of information security business cases developed
• C. Reduction in information security incidents
• D. Increase in risk assessments completed

Correct answer: C

Explanation

The best measure of an information security program's effectiveness is the reduction in information security incidents, as it directly reflects improvements in security practices and risk management. The other options, while relevant, do not provide a direct measure of security performance. For instance, return on investment and the number of business cases do not necessarily correlate with improved security outcomes.