“Yes and No” questions, referred to as “Polar Questions” provide a more definitive level of response which some CISO’s prefer to Ordinal responses. At V3 we believe that Polar Responses do not capture the level of maturity of a particular control. We understand that people naturally prefer the simplicity of whole numbered responses, but we believe that in cybersecurity, whole number responses lead to a false sense of security. Consider the example below.
EXAMPLE: Are technical controls in place to segregate networks?
Answering “Yes” or “No” does not provide the necessary insight to provide a response aligned with the intent of the control. We must understand the level of maturity associated with the control to have an understanding of the effectiveness of the control.
Lets assume that we want to answer yes because we have firewalls that separate our network segments. What is the policy being enforced by the technical controls was to allow all traffic to traverse the device? We could technically answer “Yes” to the question, but clearly the intent of the control has not been met and could misrepresent the organizational posture.