Certified Information Security Manager (CISM) — Question 99

Which of the following components of an information security risk assessment is MOST valuable to senior management?

Answer options

• A. Residual risk
• B. Return on investment (ROI)
• C. Mitigation actions
• D. Threat profile

Correct answer: A

Explanation

Residual risk is the amount of risk remaining after mitigation efforts, making it crucial for senior management to understand the potential exposure their organization faces. While Return on Investment (ROI), mitigation actions, and threat profiles are important, they do not directly indicate the remaining risk that management must be aware of when making strategic decisions.