Which TWO of the following are examples of key risk indicators (KRIs) for cybersecurity risk?
Patch latency is a key indicator of vulnerability risk.
Why this answer
Option A is correct because the time to patch critical vulnerabilities directly measures the organization's exposure window to known exploits, which is a leading indicator of cybersecurity risk. A longer patch time increases the likelihood of a successful attack, making it a key risk indicator (KRI) for vulnerability management.
Exam trap
The trap here is that candidates often confuse KRIs with KPIs, selecting metrics like training completion or phishing simulation results because they seem risk-related, but KRIs must directly measure the likelihood or impact of a risk event, not the performance of a control.