When developing metrics to measure and monitor information security programs, the information security manager should ensure that the metrics reflect the:

A.
residual risks.

B.
levels of security.

C.
security objectives.

D.
statistics of security incidents.

Explanation:
Metrics should be developed based on security objectives, so they it can measure the effectiveness and efficiency of information security controls. Metrics are not only used to measure the results of the security controls (residual risks), but also the attributes of the control implementation. Metrics are not only used to measure the result of the security controls (levels of security), but also the attributes of the control implementation. Not only statistics are collected, but other attributes of the information security controls should also be considered.