Certified Information Security Manager (CISM) — Question 633

Management decisions concerning information security investments will be MOST effective when they are based on:

Answer options

• A. a process for identifying and analyzing threats and vulnerabilities.
• B. the formalized acceptance of risk analysis by management.
• C. the reporting of consistent and periodic assessments of risks.
• D. an annual loss expectancy (ALE) determined from the history of security events.

Correct answer: C

Explanation

The correct answer, C, highlights that consistent and periodic risk assessments provide a reliable basis for decision-making. Options A and B focus on processes and acceptance rather than the importance of regular reporting, while D emphasizes historical loss data, which may not reflect current risks effectively.