Which of the following should be of GREATEST concern to an information security manager when establishing a set of key risk indicators (KRIs)?
A. The impact of security risk on organizational objectives is not well understood.
B. Risk tolerance levels have not yet been established.
C. Several business functions have been outsourced to third-party vendors.
D. The organization has no historical data on previous security events.
A. The impact of security risk on organizational objectives is not well understood.
B. Risk tolerance levels have not yet been established.
C. Several business functions have been outsourced to third-party vendors.
D. The organization has no historical data on previous security events.