Certified in Risk and Information Systems Control (CRISC) — Question 591

Which of the following should be the PRIMARY goal of developing information security metrics?

Answer options

• A. identifying security threats
• B. Ensuring regulatory compliance
• C. Enabling continuous improvement
• D. Raising security awareness

Correct answer: C

Explanation

The primary goal of developing information security metrics is to enable continuous improvement, as it helps organizations assess their security posture and make informed decisions for future enhancements. While identifying threats, ensuring compliance, and raising awareness are important, they are secondary to the overarching aim of fostering ongoing improvement in security practices.