CISM Certified Information Security Manager – Question1474

Which of the following information security metrics is the MOST difficult to quantify?

A.
Cost of security incidents prevented
B. Percentage of controls mapped to industry frameworks
C. Extent of employee security awareness
D. Proportion of control costs to asset value

Correct Answer: C