An information security manager is analyzing a risk that is believed to be severe, but lacks numerical evidence to determine the impact the risk could have on the organization. In this case the information security manager should:
A. use a qualitative method to assess the risk.
B. use a quantitative method to assess the risk.
C. put it in the priority list in order to gain time to collect more data.
D. ask management to increase staff in order to collect more evidence on severity.
A. use a qualitative method to assess the risk.
B. use a quantitative method to assess the risk.
C. put it in the priority list in order to gain time to collect more data.
D. ask management to increase staff in order to collect more evidence on severity.