Which of the following should be of GREATEST concern to an information security manager when establishing a set of key risk indicators (KRIs)? 

Answer options:

A. The impact of security risk on organizational objectives is not well understood.
B. Risk tolerance levels have not yet been established.
C. Several business functions have been outsourced to third-party vendors.
D. The organization has no historical data on previous security events.

B