CISSP Question #891: Real Exam Question with Answer & Explanation

Question

Which of the following is the BEST reason for the use of security metrics?

Options

• AThey ensure that the organization meets its security objectives.
• BThey provide an appropriate framework for Information Technology (IT) governance.
• CThey speed up the process of quantitative risk assessment.
• DThey quantify the effectiveness of security processes.

Explanation

Security metrics are measurement tools used to quantify and evaluate the performance and effectiveness of security controls and processes, enabling data-driven decision-making.

Common mistakes.

• A. Security metrics measure and report on security performance, but they do not inherently ensure that objectives are met - that is the role of security controls, governance processes, and management oversight.
• B. IT governance frameworks (such as COBIT or ISO 38500) provide structural guidance for aligning IT with business goals; security metrics are an input to governance but do not constitute a governance framework themselves.
• C. Quantitative risk assessment relies on probability and impact data, threat modeling, and asset valuation methodologies; while metrics can inform risk assessments, accelerating the risk assessment process is not the primary purpose of security metrics.

Concept tested. Purpose and function of security metrics

Reference. https://csrc.nist.gov/publications/detail/sp/800-55/rev-1/final

No community discussion yet for this question.