CISM Certified Information Security Manager – Question1080

The PRIMARY reason for using metrics to evaluate information security is to:

A.
identify security weaknesses.
B. justify budgetary expenditures.
C. enable steady improvement.
D. raise awareness on security issues.

Correct Answer: C

Explanation:

Explanation: The purpose of a metric is to facilitate and track continuous improvement. It will not permit the identification of all security weaknesses. It will raise awareness and help in justifying certain expenditures, but this is not its main purpose.