Exam CISM topic 1 question 174 discussion

Senior management is most concerned about ROI, which includes any impact to the residual risk brought on by the investment.

B. Return on investment (ROI). Guys this is what is most important to senior management. Senior management is looking at the results on the overall business. What is the return on the company's investment in said program. The ROI is key metric that senior management reviews to determine if an activity in the business was worth it or not.

A. Residual risk Residual risk refers to the level of risk that remains after mitigation measures have been implemented. Senior management is primarily concerned with understanding the overall risk exposure and what risks are still present even after taking preventive and mitigative actions. This information helps them make informed decisions about resource allocation, risk tolerance, and strategic planning.

A. Residual risk

A. Residual risk is considered the most valuable component of an information security risk assessment to senior management according to ISACA. It allows them to understand the remaining level of risk after mitigation actions have been implemented, and make informed decisions about how to allocate resources to further reduce risk.

A is correct

D. Threat profile Threat Profile gives you a composite picture of the most important and relevant cyber threats to your organization and how those threats are likely to materialize and impact you and your partners, now and in the future. Say for example the threat profile for a manufacturing industry(NIST IR8183) will look different from the threat profile for a smart grid(NIST IR2051).

management need to evaluate the value of cost.