What is the likely reason top executives were not notified about security incidents in a large organization with a key risk indicator (KRI)?

The rationale behind the answer relating to the key risk indicator (KRI) sensitivity threshold lies in the function of KRIs within an organization's risk management framework. KRIs are metrics used to provide an early signal of increasing risk exposures in various areas of the business. When incidents occur but fail to meet the established sensitivity threshold, they may be deemed insignificant or within an acceptable range of operational variability, suggesting that they do not warrant executive attention.

In this scenario, the lack of notification to top executives likely reflects a reliance on thresholds set for risk indicators that dictate when an incident should be escalated for awareness or action. If a security incident falls below this threshold, it might lead the reporting structure to consider it a routine occurrence, thereby bypassing the need for higher-level scrutiny. Thus, top executives remain unaware of potentially relevant security concerns due to the perceived minor significance of those incidents.

Additionally, while other options touch on aspects of KRIs and their management, they do not directly attribute the non-notification of executives to a lack of incident severity as effectively as the sensitivity threshold reason does. For instance, KRIs not being linked to specific controls would indicate a disconnect in risk management but doesn’t inherently explain why incidents wouldn’t be reported; similarly with high maintenance