Which of the following would be the BEST indicator that an organization is appropriately managing risk? 

Answer options:

A. The number of security incident events reported by staff has increased
B. Risk assessment results are within tolerance
C. A penetration test does not identify any high-risk system vulnerabilities
D. The number of events reported from the intrusion detection system has declined

B