Which would be one of the BEST metrics an information security manager can employ to
effectively evaluate the results of a security program?
A.
Number of controls implemented
B.
Percent of control objectives accomplished
C.
Percent of compliance with the security policy
D.
Reduction in the number of reported security incidents
Explanation:
Control objectives are directly related to business objectives; therefore, they would be the best
metrics. Number of controls implemented does not have a direct relationship with the results of a
security program. Percentage of compliance with the security policy and reduction in the number
of security incidents are not as broad as choice B.