A security manager is implementing a comprehensive security metrics program and needs to select appropriate indicators to measure the effectiveness of the organization's security controls. Which of the following metrics would be the BEST example of a key risk indicator (KRI) for monitoring the organization's patch management effectiveness?
Percentage of systems with critical vulnerabilities older than 30 days
Number of security team members certified in patch management
The percentage of systems with critical vulnerabilities older than 30 days is the best KRI because it directly measures risk exposure from unpatched systems. This metric indicates the potential security gap created by delayed patching and correlates with the likelihood of exploitation. Unlike volume metrics (patches applied) or capability metrics (certified staff), this KRI provides actionable insight into the actual risk state of the environment by focusing on what matters most - how many critical vulnerabilities remain unaddressed over time. Effective KRIs should provide early warning of increased risk, and aging critical vulnerabilities are a clear indicator of heightened security risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are key risk indicators (KRIs)?
Open an interactive chat with Bash
Why is the percentage of systems with critical vulnerabilities older than 30 days a better metric than the number of patches applied?
Open an interactive chat with Bash
How can an organization improve its patch management effectiveness?
Open an interactive chat with Bash
ISC2 CISSP
Security Assessment and Testing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access