Exam CISM topic 1 question 255 discussion

The Correct answer is (C.) Key risk indicators (KRIs), cause the main purpose of a security program is to reduce risk. So it should be measured on its ability to reduce said risk and that is what KRI is designed to do. Rationale: (A.) Key performance indicators (KPIs) is incorrect cause it measure performances efficiencies, not risk reduction. (B.) Threat models is incorrect cause it is not a form risk measurement. (D.) Industry benchmarks is not the correct answer cause it is not organization specific.

Question is hard to determine if you are selling a program to implement, or touting the successes/benefits of the program that has been implemented. It depends with way you interpret this question. I chose C because if I wanted to implement a program I’d explain what our current key risks are and use a heat map.

Its not asking about measurement or trend effectiveness.

A. Key performance indicators (KPIs) Key performance indicators (KPIs) are typically the most effective way to communicate the benefits of an information security program to executive management. KPIs provide measurable metrics and data that can demonstrate the impact and effectiveness of the security program in a way that is easily understandable by executives.

Its A. Benefits are shown by performance metrics.

WTH does KRI have to do with communicating benefits? Risk is a potential that can mature into an issue. If its not an issue, reporting it does not show any benefit, since a risk is just a potential issue. KPI is showing performance. That's the correct answer

I guess you guys need me to define KRI: Key risk indicators are metrics that predict potential risks that can negatively impact businesses. They provide a way to quantify and monitor each risk. Think of them as change-related metrics that act as an early warning risk detection system to help companies effectively monitor, manage and mitigate risks. KRI in no way is going to communicate the benefits of the security program to executive management. The Answer is KPI and is also the correct answer in similar questions before this one.

C - https://blog.einnosec.com/index.php/2020/07/07/information-security-kri-kpi-relevant-to-ciso-cio-and-board-part-i/#:~:text=The%20KRIs%20are%20like%20an%20early%20warning%20system,impact%20it%20would%20have%20on%20the%20organization%E2%80%99s%20KPI.

A. Key performance indicators (KPIs) Key performance indicators (KPIs) are typically the most effective way to communicate the benefits of an information security program to executive management. KPIs provide measurable metrics and data that can demonstrate the impact and effectiveness of the security program in a way that is easily understandable by executives.

The correct answer is A. Key performance indicators (KPIs). Explanation: Among the options provided, Key Performance Indicators (KPIs) would most effectively communicate the benefits of an information security program to executive management. KPIs are measurable values that demonstrate the effectiveness and impact of an initiative or program.

The CISM Review Manual, 15th Edition, from ISACA (Page 58) states: "KPIs are used to measure the achievement of strategic objectives... These metrics should be capable of measuring the extent to which the objectives are being achieved and, hence, can indicate where improvement efforts should be focused."

I like C here

A. Key performance indicators (KPIs)

A. Key performance indicators (KPIs)

C. Key risk indicators (KRIs)

The question is asking “benefits of a security program". The only benefit is risk being appropriately managed and within the risk tolerance, in which measured/reflected by KRI.