Quiz: Security Metrics, Measurement, and Reporting to the Board

DataField.Dev

Quiz: Security Metrics, Measurement, and Reporting to the Board

A 26-question self-check covering metric selection, MTTD/MTTR/coverage, maturity models, and board reporting. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] A measurement that looks impressive but supports no decision — typically unbounded and lacking a denominator — is best called a: A. key risk indicator B. vanity metric C. benchmark D. maturity score

2. "Mean time to detect" measures the elapsed time from: A. detection to containment B. the incident's start to its detection C. ticket open to ticket close D. alert to acknowledgement

3. [Sec+] "Mean time to respond" most commonly measures from: A. incident start to detection B. detection to resolution/containment C. patch release to patch deploy D. board meeting to board meeting

4. Control coverage is most honest only when you can trust the: A. numerator B. vendor C. denominator (total in-scope items) D. color of the dashboard

5. [CISSP] A metric that measures how much risk the organization is currently carrying, as an early-warning signal, is a: A. KPI B. KRI C. SLA D. SLO

6. Which is the best reason to report the median detection time alongside the mean? A. medians are always lower B. a single slow outlier can distort the mean C. boards prefer medians D. it doubles the number of metrics

7. [Sec+] On a five-level maturity scale, a process that is documented, standardized, and applied consistently across the organization is at which level? A. Initial B. Repeatable C. Defined D. Optimized

8. The four questions a board metrics pack should answer are best summarized as: A. who, what, when, where B. are we exposed / improving / spending well / how do we compare C. confidentiality, integrity, availability, accountability D. people, process, technology, tools

9. "We blocked 2.4 million attacks this quarter" fails as a board metric primarily because it is: A. false B. too small C. unbounded activity with no denominator or outcome D. classified

10. [CISSP] A board approves a risk appetite. For a metric to be meaningful to that board, it should ideally be presented: A. as a raw count B. against the appetite threshold and as a trend C. in packets per second D. without comparison, to avoid bias

11. Optimizing a single metric until it stops reflecting reality (e.g., closing tickets early to cut MTTR) is an instance of: A. defense in depth B. Goodhart's law / metric gaming C. least privilege D. the CIA triad

12. [Sec+] Which belongs on an operational dashboard rather than a board deck? A. risk vs. appetite B. program maturity trend C. SIEM rule false-positive rate D. major-incident business impact

13. A risk burn-down chart is most useful for showing a board: A. how many alerts fired B. quantified risk declining over time toward appetite C. the org chart D. firewall throughput

14. The relationship between executive and operational metrics is best described as: A. they are unrelated B. executive metrics aggregate and abstract operational ones C. operational metrics replace executive ones D. only operational metrics are real

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "More SIEM alerts always means better detection."

16. [Sec+] "A coverage metric of 100% MFA on admin accounts means there is no remaining identity risk."

17. "Because boards are non-technical, the CISO should avoid all numbers and speak only in generalities."

18. "Reporting a failing (amber) metric to the board damages the CISO's credibility more than hiding it would."

19. "A maturity score is a precise measurement, so reporting it to two decimal places (e.g., 2.47) is appropriate."

20. "MTTD should be measured from the attacker's true first action, even though that time is usually reconstructed after the fact."

Section 3 — Fill in the blank (1 pt each)

21. A _ metric measures how well a process performs; a _ metric signals how much risk the organization is carrying.

22. MTTD + MTTR for an incident together describe the attacker's total _ of _ — from first action to contained.

23. [Sec+] A reference value (peer average, prior period, regulatory threshold) used to give a metric meaning by comparison is a __.

Section 4 — Short answer (2 pts each)

24. [CISSP] A board metrics pack should answer four questions. List them, and for each name one metric or visual from the chapter that answers it.

25. Compute and interpret: three incidents have detection intervals of 1, 3, and 14 hours. Give the MTTD and the median, and explain in one sentence which you would lead a board slide with and why.

Section 5 — Applied scenario (5 pts)

26. Dana is building Meridian's first board scorecard. (a) Name three metrics you would put on the one-screen executive view and the board question each answers. (b) For one of them, explain how it "rolls up" from an operational metric the SOC produces. (c) Identify one honest "watch" item you would include and explain why including bad news strengthens rather than weakens the deck. (d) Give one metric you would deliberately leave off the board view and say why.

Answer Key

Click to reveal answers and explanations

1. **B** — a vanity metric looks good but drives no decision. 2. **B** — MTTD spans incident-start to detection. 3. **B** — MTTR spans detection to resolution/containment. 4. **C** — coverage is only as honest as its denominator (the asset inventory). 5. **B** — a KRI is a leading risk-level indicator. 6. **B** — one slow outlier inflates the mean; the median reveals the typical case. 7. **C** — Defined = documented, standardized, consistently applied. 8. **B** — exposed / improving / spending well / compare. 9. **C** — unbounded activity with no denominator or outcome. 10. **B** — against appetite and as a trend. 11. **B** — Goodhart's law: a measure optimized blindly stops measuring what mattered. 12. **C** — false-positive rate is operational SOC tuning, not board-level. 13. **B** — a burn-down shows quantified risk declining toward appetite. 14. **B** — executive metrics aggregate/abstract operational ones. 15. **F** — more alerts can mean worse tuning (false positives) as easily as better coverage; volume without a denominator or outcome is not a quality signal. 16. **F** — 100% of *known* admin accounts; unknown/orphaned accounts (Chapter 18) are excluded from the denominator and remain a real risk. 17. **F** — boards need a small set of load-bearing numbers framed as risk; vagueness fails their oversight duty — the skill is translation, not omission. 18. **F** (the statement is false as written) — **hiding** the failing metric does far more damage to credibility; an honest amber with a plan builds trust, an all-green deck that collapses destroys it. 19. **F** — maturity is a structured judgment, not a two-decimal measurement; false precision misrepresents it — report "about 2.5" tied to evidence. 20. **T** — anchoring "begin" to the true first action (reconstructed via forensics) is the only honest MTTD; measuring from first alert understates dwell time. 21. KPI; KRI. 22. window; opportunity. 23. benchmark. 24. The four questions and a sample metric each: *Are we exposed?* → risk vs. appetite (top-5 risks). *Are we improving?* → maturity trend and/or risk burn-down. *Is the money working?* → spend mapped to risk reduced. *How do we compare?* → MTTD/MTTR or coverage against a peer/prior benchmark. 25. MTTD = (1 + 3 + 14) / 3 = 18 / 3 = 6 hours; median = 3 hours. Lead with the **median (3 h)** — or better, present both — because the 14-hour outlier inflates the mean and the median better represents typical detection, while the outlier itself is named as the improvement target rather than hidden inside an average. 26. (a) e.g., *risk vs. appetite* (are we exposed?), *maturity trend* (are we improving?), *MTTD/MTTR vs. benchmark* (how do we compare?). (b) MTTD/MTTR rolls up from per-incident timestamps the SOC records in the ticketing/SIEM system — each incident's detect-minus-begin and resolve-minus-detect, averaged. (c) An honest "watch" item (e.g., third-party risk above appetite, with a funded plan) makes the rest of the deck *believable*; a board that sees only green stops trusting the report, and disclosure duties make hiding known problems a liability. (d) Leave off raw alert volume / "attacks blocked" / SIEM false-positive rate — operational or vanity numbers that answer none of the board's four questions and crowd out the ones that do. **Topics to review by question:** missed 1, 9 → §36.1 (vanity metrics); 2–4, 6 → §36.3 (MTTD/MTTR/ coverage); 5, 21 → §36.1 (KPI/KRI); 7, 19 → §36.4 (maturity); 8, 10, 13, 24 → §36.5 (board conversation); 11 → §36.3 (gaming); 12, 14, 17 → §36.2 (operational vs. executive); 18 → §36.5 (honesty/credibility); 26 → §36.6 (Meridian pack).