When an information security manager presents an information security program status report to senior management, the MAIN focus should be:

A. critical risks indicators.
B. key controls evaluation.
C. key performance indicators (KPIs).
D. net present value (NPV).