Exam CRISC topic 1 question 815 discussion

C. vulnerabilities remediated. The best key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of vulnerabilities remediated. This KPI directly reflects the program's ability to address and mitigate security vulnerabilities in a timely manner. It demonstrates that identified vulnerabilities are being addressed and closed, reducing the organization's overall exposure to potential security risks. Tracking the number of vulnerabilities remediated over time allows for the monitoring of program effectiveness and helps ensure that security risks are being actively managed.

Going with C. Recurring seems more like a KRI to me.

i have to change to 'C', reason: This indicates the actual progress made in addressing identified vulnerabilities, while the number of recurring vulnerabilities could indicate that the remediation efforts are not effective or not being applied consistently.

Agree.

B: is correct. Recurring vulnerabilities are those that have come up again after remediation. That is known as the Vulnerability Re-Open Rate.

b is more sence

B make most sense for effective vulnerability remediation program. Recurring vulnerability normally refer to same vulnerability found in system on next scan after remediation done or reported done. This will indicate the solution / remediation is not working or not done properly which warrant the effectiveness of remediation process. so B make more sense to me.

C makes most sense, recurring vulnerabilities could be on other hosts.

I think C is the better answer for KPI

B. recurring vulnerabilities shows a risk so its KRI not KPI. I don't know what is the best answer here but B is wrong.