An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective. Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

A. Cost-benefit analysis
B. Gap analysis
C. Risk assessment
D. Business case