CISM Question #741: Real Exam Question with Answer & Explanation

Question

The security team is developing a business case to submit to the IT steering committee for the implementation of a fraud detection system. Including which of the following would be MOST helpful to the committee in reaching a decision?

Options

• ATotal cost of ownership (TCO)
• BReturn on investment (ROI)
• CAnnual loss expectancy (ALE)
• DStrengths, weaknesses, opportunities and threats (SWOT)

Explanation

ROI (Return on Investment) is the most helpful metric for a steering committee making a funding decision because it directly quantifies the financial benefit of the investment relative to its cost - translating security value into business language that decision-makers use to prioritize spending.

• TCO (A) only covers costs without showing the benefit side; it tells you what you'll spend but not what you'll gain, making it insufficient for justifying approval on its own.
• ALE (C) estimates expected annual losses from a threat and is useful for risk analysis, but it's an input to the business case, not the decision-making metric itself - it feeds into the ROI calculation.
• SWOT (D) is a strategic planning framework that provides qualitative context but doesn't give a committee a clear financial basis for approving or rejecting an investment.

Memory tip: Think of it this way - a steering committee is essentially asking "Is this worth our money?" Only ROI directly answers that question with a ratio of value gained versus cost. When a question involves justifying a new system to leadership, ROI is almost always the answer.

No community discussion yet for this question.