Certified Information Security Manager (CISM) — Question 53

Which of the following is BEST to include in a business case when the return on investment (ROI) for an information security initiative is difficult to calculate?

Answer options

• A. Projected increase in maturity level
• B. Estimated increase in efficiency
• C. Projected costs over time
• D. Estimated reduction in risk

Correct answer: D

Explanation

Including an estimated reduction in risk is crucial because it helps justify the investment in security initiatives, even when ROI calculations are complex. The other options, while relevant, do not directly address the immediate benefits to the organization's risk profile, making them less effective in this context.