Flashcards

Security Metrics

Measuring and reporting security effectiveness

5 minutes 5 Questions

Security Metrics are quantifiable measurements used to assess, monitor, and report on security controls, processes, and overall security posture of an organization. In CISSP context, security metrics provide objective data for security governance and risk management decisions. Key aspects of Secur…

Concepts covered

Return on Security Investment (ROSI)Security Risk Assessments Incident Response Capability Risk Appetite Alignment Vulnerability Identification and Management Mean Time to Detect (MTTD)Mean Time to Respond (MTTR)Security Awareness Training Effectiveness Cost of Cyber Incidents Patch Management Maturity Key Risk Indicators (KRIs)

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Question 1

What is a security control?

A system for monitoring security events and incidents A mechanism for investigating security breaches A tool for measuring the effectiveness of security solutions A safeguard or countermeasure to avoid, detect, counteract, or minimize security risks

Correct Answer: A safeguard or countermeasure to avoid, detect, counteract, or minimize security risks

A security control is a safeguard or countermeasure that is put in place to avoid, detect, counteract, or minimize security risks. This can include technical controls, such as firewalls or access controls, as well as administrative controls, such as policies and procedures.

Question 2

Which of the following is NOT a Security Metric?

Number of Employees in the organization Number of firewall rules in the network Number of successful phishing attacks on the organization Number of patches applied in a given period

Correct Answer: Number of Employees in the organization

Security Metrics are measures used to evaluate the effectiveness of security controls. The number of employees is not an effective security metric as it does not evaluate the effectiveness of security controls.

Question 3

What Security Metric is used to measure the impact of a security incident?

c. Number of Security Incidents d. Number of Firewall Rules a. Mean Time To Recover (MTTR) b. Mean Time To Detect (MTTD)

Correct Answer: a. Mean Time To Recover (MTTR)

Mean Time To Recover (MTTR) is the primary Security Metric to evaluate the impact of Security Incidents. It is defined as the average time it takes to recover from a security incident from the time it is detected.

Unlock Premium Access

CISSP

Security Metrics

CISSP - Security Metrics Example Questions

Question 1

Question 2

Question 3

Unlock Premium Access