A quarterly risk report for the IT steering committee shows a key risk indicator (KRI) called 'patch lag' has increased from 15 days to 45 days. What does this trend most likely indicate?
Correct. Higher patch lag means systems are exposed longer.
Why this answer
The patch lag KRI measures the time between a patch's release and its deployment. An increase from 15 to 45 days means systems are exposed to known vulnerabilities for a longer period, directly increasing the window of opportunity for exploitation. This trend indicates a worsening security posture and higher vulnerability risk.
Exam trap
The trap here is that candidates may confuse a KRI trend with a risk level itself, thinking a change in the indicator does not necessarily mean a change in risk, but in CRISC, a worsening KRI like patch lag directly signals increased vulnerability risk.
How to eliminate wrong answers
Option A is wrong because a significant increase in patch lag from 15 to 45 days represents a clear change in risk level, not no change. Option B is wrong because an increased patch lag means patches are applied more slowly, which degrades rather than improves the security posture. Option D is wrong because a longer delay in applying patches increases the attack surface and vulnerability risk, rather than decreasing it.