Exam CISM topic 1 question 105 discussion

Ensuring repeatability is important when selecting an information security metric, but it is not the most important factor. Repeatable metrics provide consistent and reliable data, which is crucial for tracking progress over time and making comparisons. However, repeatability alone is not enough to ensure that the metric is useful and meaningful. Aligning the metric to the IT strategy and ensuring that it supports the overall objectives of the organization is more critical, as this will ensure that the metric provides relevant and valuable information that can be used to drive meaningful improvements in information security.

(A) ISACA CISM 15ed Review Manuan Section 1.6.1: Effective Security Metrics (SMART CRAAP): Specific, Measurable, Attainable, Relevant, Timely, Cost-effective, Repeatable, Accurate, Actionable, Predictive

B is the best answer because When an information security metric is "aligned to the IT strategy," it means that the metric directly reflects and supports the overall goals and objectives of the organization's IT strategy, ensuring that security efforts are focused on protecting the most critical business assets and aligning with the broader IT roadmap.

this is confusing question.

not every metric aligns with business

While IT strategy encompasses the broader implementation of technology within an organization to meet its goals, the security strategy specifically focuses on protecting the organization's information and technology assets from threats and vulnerabilities. Ideally, information security metrics should align with the security strategy, which in turn should be developed in alignment with both the IT strategy and the overarching business objectives. Given the context of the available options and considering the importance of the security focus, the priority shifts to ensuring the metrics are not only aligned but also practical and actionable. Since "aligning to the security strategy" is not explicitly provided as an option, the focus should indeed revert to the fundamental qualities that make a metric useful for security purposes. Thus, Option A. Ensuring the metric is repeatable becomes significant

B, When selecting an information security metric, it's crucial to ensure it aligns with organizational goals aka IT strategy....

B Metrics should be SMART Specific Measurable Attainable Relevant and Timely.. aligning the metric with your strategy makes it more relevant is the logic i used.

I would say A but AIO 2nd means B A formal metrics program provides qualitative and quantitative data on the effective- ness of many elements of an organization’s security program and operations. Metrics can be developed via the SMART method: specific, measurable, attainable, relevant, and timely. Metrics must align with the organization’s mission, strategy, and objectives. Some metrics can be used to report on results in the recent past, but some metrics should serve as leading indicators or drive a call to action by the leadership team

B. Aligning the metric to the IT strategy When selecting an information security metric, it is most important to align the metric with the overall IT strategy and business objectives. This ensures that the metric is relevant and meaningful in the context of the organization's goals. Metrics should be tied to specific objectives and key performance indicators (KPIs) that support the strategic direction of the organization.

When selecting an information security metric, the most important consideration is to ensure that the metric is repeatable. A repeatable metric is one that can be consistently and reliably measured over time. It should be based on well-defined criteria, standardized measurement methods, and clear data collection processes. By having a repeatable metric, organizations can track and compare security performance consistently, identify trends, and measure progress towards security goals effectively.

When Metric is measure quantitatively, it simply mean it is measurable and can be evaluated and will help proper investment into information security Selected Answer: D

D. Defining the metric in quantitative terms

The most important thing about metrics is that they are tracking what matters to the business. With this in mind (B) is the correct answer. Rationale: A. It is great to have consistency, but it doesn't matter if it doesn't track anything meaningful. (C) and (D) are different ways of measuring things. One isn't better than the other, but again... they need to measure something meaningful which is (B).

When selecting an information security metric, it is MOST important to define the metric in quantitative terms (Option D). This means that the metric should be measurable and expressed in numerical values.

Quantitative metrics use numerical data to measure and report on specific aspects of information security, such as the number of incidents, the time taken to resolve an issue, or the percentage of systems that are compliant with security policies

CISM AIO 2nd - Security metrics are often used to observe technical IT security controls and processes and determine whether they are operating properly.