Deciding the level of protection a particular asset should be given in BEST determined by:

A. a threat assessment.
B. a vulnerability assessment.
C. a risk analysis.
D. the corporate risk appetite.