Management decisions concerning information security investments will be MOST effective when they are based on: 

Answer options:

A. an annual loss expectancy (ALE) determined from the history of security events.
B. the formalized acceptance of risk analysis by management.
C. the reporting of consistent and periodic assessments of risks.
D. a process for identifying and analyzing threats and vulnerabilities.

C