Which metric BEST indicates whether a vulnerability management program is effective over a 12-month period?

  1. Total number of vulnerabilities discovered by scanners
  2. Number of scanning tools deployed
  3. Percentage reduction in critical vulnerabilities and mean time to remediation ✓
  4. Total vulnerabilities reported to management

Correct answer: Percentage reduction in critical vulnerabilities and mean time to remediation

Option C is correct because the percentage reduction in critical vulnerabilities over time and mean time to remediation (MTTR) are outcome-based metrics that directly measure whether the program is successfully eliminating risk, demonstrating trend improvement rather than just activity. Option A is incorrect because the total number of vulnerabilities discovered only reflects scanner coverage and the attack surface size, not whether those vulnerabilities are being fixed or risk is declining. Option B is incorrect because the number of scanning tools deployed is an input metric reflecting investment, not an outcome metric showing whether the program is reducing exposure. Option D is incorrect because the total vulnerabilities reported to management measures reporting activity and communication, not actual remediation effectiveness or risk reduction over time.

Topic: · vulnerability management, metrics, mean time to remediation, cysa+

Practice CompTIA CySA+ (CS0-003) Questions Free