The question is clear in asking how can we best measure the resiliency of the security program. This is not all about DR. The best way to measure resiliency would be see how many incidents that actually end up causing a disruption. B is the right answer.

I'm thinking this should be C. Number of successful disaster recovery tests. Perhaps I'm not understanding the question.

The number of successful disaster recovery tests provides a direct measure of the effectiveness and resiliency of IT infrastructure security controls. It demonstrates the ability of the organization to recover and restore critical systems and data in the event of a disruptive incident. By conducting regular tests and achieving successful outcomes, it indicates that the security controls in place are capable of withstanding and recovering from various disruptions or incidents. Option C

C. The number of successful disaster recovery tests is best suited to assess the resiliency of IT infrastructure security controls. Disaster recovery plans are critical to address system disruptions due to security events or natural disasters. Periodic testing can verify that the plan actually works. On the other hand, the percentage of unresolved high-risk audit issues is a less reliable metric because it is also affected if the issue is fixed before the audit is completed. Also, the frequency of system software updates, while it may help strengthen security controls, is not directly relevant to assessing resiliency. B. Number of incidents resulting in disruptions is not the best measure of the robustness of the security controls in an IT infrastructure. This is because the frequency of security incidents is not an indicator of the robustness of security controls, which are affected by other factors as well.

Again, a tough question. I'm gonna go with C here since DR tests are there to test whether the system is resilient enough in the face of a disaster. Just because a business didn't have many incidents that resulted in a disruption doesn't mean it's IT infrastructure is resilient. It can easily be luck of not facing an incident sever enough.

The metric that would best help determine the resiliency of IT infrastructure security controls is option C: Number of successful disaster recovery tests. Disaster recovery tests are designed to simulate various potential incidents or disruptions to the IT infrastructure and evaluate the effectiveness of the security controls in place. By measuring the number of successful tests, organizations can assess how well their infrastructure can recover from such events and how resilient their security controls are. This metric provides a direct measurement of the ability to withstand and recover from potential security breaches or incidents.

The key here is the term "resiliency". If the system is resilient enough we may not even have a disruption in the first place so i'll go with B

B. Number of incidents resulting in disruptions

B. Number of incidents resulting in disruptions

Do not think data recovery test is a metric... going with B.

C. Number of successful disaster recovery tests

due to word "resilience" it cant be data recovery test. Its B

C. Number of successful disaster recovery tests This metric directly assesses the ability of IT infrastructure security controls to recover and maintain operations after a disaster or incident. Successful disaster recovery tests indicate that the controls are effective in ensuring resiliency and business continuity. Monitoring the number of successful tests over time can help identify trends and provide insights into the overall resiliency of the IT infrastructure security controls.