Which of the following metrics would be considered an accurate measure of an information security program's performance?
A. The number of key risk indicators (KRIs) identified, monitored, and acted upon
B. A combination of qualitative and quantitative trends that enable decision making
C. A single numeric score derived from various measures assigned to the security program
D. A collection of qualitative indicators that accurately measure security exceptions
A. The number of key risk indicators (KRIs) identified, monitored, and acted upon
B. A combination of qualitative and quantitative trends that enable decision making
C. A single numeric score derived from various measures assigned to the security program
D. A collection of qualitative indicators that accurately measure security exceptions