Establishing Key Risk Indicators (KRIs) for Information Security Managers

B.

When establishing a set of key risk indicators (KRIs), the greatest concern for an information security manager should be ensuring that the KRIs are effective in managing and mitigating security risks. KRIs are used to identify, monitor, and communicate the level of risk exposure to an organization's information assets, systems, and processes. Effective KRIs should help managers make informed decisions and allocate resources to minimize risks to an acceptable level.

Out of the given options, the answer that best reflects the greatest concern for an information security manager when establishing KRIs is option A - "The impact of security risk on organizational objectives is not well understood."

This is because, without a clear understanding of the impact of security risks on organizational objectives, it becomes difficult to identify the appropriate KRIs to monitor and measure the level of risk exposure. Additionally, without this understanding, it becomes challenging to determine what level of risk is acceptable for the organization, which would impact risk tolerance levels.

Options B, C, and D are also important considerations for an information security manager when establishing KRIs. However, they do not represent the greatest concern.

Option B - "Risk tolerance levels have not yet been established" - is an important factor to consider, but it is not the greatest concern. Risk tolerance levels refer to the acceptable level of risk that the organization is willing to accept, and this can impact the KRIs selected.

Option C - "Several business functions have been outsourced to third-party vendors" - is another consideration that impacts the selection of KRIs. It is essential to ensure that third-party vendors meet the organization's security requirements and that their security posture does not introduce additional risks.

Option D - "The organization has no historical data on previous security events" - is also an important consideration as it can be challenging to identify and quantify risks without any historical data. However, this can be mitigated by using industry benchmarks and other sources of information to establish relevant KRIs.

In summary, the greatest concern for an information security manager when establishing KRIs is ensuring a clear understanding of the impact of security risks on organizational objectives, as this is essential for selecting effective KRIs. Risk tolerance levels, third-party vendors, and historical data on security events are also important considerations but are not the greatest concern.