Certified Information Security Manager (CISM) — Question 777

When developing a business case to justify an information security investment, which of the following would BEST enable an informed decision by senior management?

Answer options

• A. The information security strategy
• B. Security investment trends in the industry
• C. Losses due to security incidents
• D. The results of a risk assessment

Correct answer: D

Explanation

The results of a risk assessment (D) provide concrete data about potential vulnerabilities and threats, enabling management to understand the necessity and impact of investment. While the information security strategy (A), industry trends (B), and losses from incidents (C) offer useful context, they do not deliver the same level of detailed insight into specific risks as a risk assessment does.