An information security manager is evaluating the key risk indicators (KRIs) for an organization's information security program. Which of the following would be the information security manager's GREATEST concern?
A. Undefined thresholds to trigger alerts
B. Multiple KRIs for a single control process
C. Use of qualitative measures
D. Lack of formal KRI approval from IT management
A. Undefined thresholds to trigger alerts
B. Multiple KRIs for a single control process
C. Use of qualitative measures
D. Lack of formal KRI approval from IT management