Certified Information Security Manager (CISM) — Question 462

Which of the following metrics is the BEST measure of the effectiveness of an information security program?

Answer options

• A. Reduction in the amount of risk exposure in an organization
• B. Reduction in the number of threats to an organization
• C. Reduction in the cost of risk remediation for an organization
• D. Reduction in the number of vulnerabilities in an organization

Correct answer: A

Explanation

The best measure of an information security program's effectiveness is the reduction in the amount of risk exposure in an organization, as it directly reflects how well the program is managing risks. The other options, while relevant, do not comprehensively indicate the overall effectiveness of the security program in mitigating risk exposure.