Exam CISSP topic 1 question 260 discussion

Answer D) If the spelling was correct for KRI, then this is the answer. https://safetyculture.com/topics/risk-management/key-risk-indicators/#:~:text=By%20focusing%20on%20high%2Dpriority%20risks%20identified%20through%20KRIs%2C%20organizations%20can%20allocate%20resources%20where%20they%E2%80%99re%20most%20needed.%20This%20way%2C%20efforts%20for%20risk%20management%20become%20more%20intentional%20and%20strategic.

D. Key Risk Indicators (KRI) Key Risk Indicators (KRIs) are metrics and data points used to monitor and assess the potential risks that can impact the organization's strategic objectives and success. KRIs are more closely related to risk assessment and are used to identify and track risks that may affect the organization's performance and success.

In an organization's strategic risk assessment, the threat analysis part is most likely to include information on items affecting the success of the organization. Threat analysis involves identifying potential threats that could negatively impact the organization's ability to achieve its objectives. By identifying these threats, the organization can develop strategies to mitigate them and ensure its success. Vulnerability analysis, KPI, and KRI are also important parts of a strategic risk assessment, but they may not necessarily focus on items affecting the success of the organization.

Nobody noticed the KRI misspelling?? I’d go with KRI but because of the misspelling i”ll go with KPI!

In summary, KPIs measure performance against objectives, while KRIs monitor potential risks that could impact an organization's ability to achieve its objectives.

The question is about future planning. The CISSP Official Study Guide pg 18 defines a Strategic Plan as "a long-term plan that is fairly stable. It defines the organization's security purpose. It defines the security function and aligns it to the goals, mission, and objectives of the organization. It's useful for about five years, if it is maintained and updated annually." The CISSP Official Student Guide pg 71 defines KRIs as "KPIs are different from KRIs. KPIs can be viewed as looking to the past while KRIs involve peering into the future. KPIs, by definition, mean the activity has already happened. KRIs use modeling, analysis or educated guesswork to set anticipated levels for risk indicators as a prediction of events yet to occur."

"measure success"=performance indicator

D. Key Risk Indicator (KRI) is most likely to include information on items affecting the success of the organization as part of an organization's strategic risk assessment.

Based on the CBK, I think this is KPI. KPI's are monitoring tools for existing risk mitigations. KRIs allow organization to maintain awareness of potential future risks.

Key Risk Indicator (KRI) includes both option A and option B. KPI is irrelevant.

PASTA – Process for Attack Simulation and Threat Analysis An attacker-focused methodology focused on overall organizational risks rather than specific technical systems.

KRI jumps out given the definition of risk, the other 3 seem to be eliminated by logic. KPIs are about past events (rules out C). Threats or vulnerabilities alone don't negatively affect the organisation (they need to be combined/threat act on vulnerability... This rules out A&B).

As CD990 said, this is a risk assessment so KPI can't be the answer. Threat and Vulnerability Analysis would feed into the KRI.

Answer is D "A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful" https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A%20key%20risk%20indicator%20(KRI)%20is%20a%20metric%20for%20measuring,organization's%20ability%20to%20be%20successful.

siding with D

I am going with C on this.

I am going with D on this.