Flashcards

Security Metrics

Measuring and reporting security effectiveness

Security metrics involves the measurement and reporting of security effectiveness and organizational risk. This subtopic covers the development and implementation of metrics to support security-related decision making, as well as the evaluation and reporting of security posture.

5 minutes 5 Questions

Security Metrics are quantifiable measurements used to assess, monitor, and report on security controls, processes, and overall security posture of an organization. In CISSP context, security metrics provide objective data for security governance and risk management decisions. Key aspects of Secur…

Concepts covered: Return on Security Investment (ROSI), Security Risk Assessments, Incident Response Capability, Risk Appetite Alignment, Vulnerability Identification and Management, Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), Security Awareness Training Effectiveness, Cost of Cyber Incidents, Patch Management Maturity, Key Risk Indicators (KRIs)

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Question 1

What is a security control?

A tool for measuring the effectiveness of security solutions A safeguard or countermeasure to avoid, detect, counteract, or minimize security risks A mechanism for investigating security breaches A system for monitoring security events and incidents

Correct Answer: A safeguard or countermeasure to avoid, detect, counteract, or minimize security risks

A security control is a safeguard or countermeasure that is put in place to avoid, detect, counteract, or minimize security risks. This can include technical controls, such as firewalls or access controls, as well as administrative controls, such as policies and procedures.

Question 2

Which of the following is NOT a Security Metric?

Number of Employees in the organization Number of patches applied in a given period Number of firewall rules in the network Number of successful phishing attacks on the organization

Correct Answer: Number of Employees in the organization

Security Metrics are measures used to evaluate the effectiveness of security controls. The number of employees is not an effective security metric as it does not evaluate the effectiveness of security controls.

Question 3

What Security Metric is used to measure the impact of a security incident?

c. Number of Security Incidents a. Mean Time To Recover (MTTR) b. Mean Time To Detect (MTTD) d. Number of Firewall Rules

Correct Answer: a. Mean Time To Recover (MTTR)

Mean Time To Recover (MTTR) is the primary Security Metric to evaluate the impact of Security Incidents. It is defined as the average time it takes to recover from a security incident from the time it is detected.

🎓 Unlock Premium Access

CISSP + ALL Certifications

Security Metrics

CISSP - Security Metrics Example Questions

Question 1

Question 2

Question 3

🎓 Unlock Premium Access