Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?
A . Cost of the information control system.
B . Cost versus benefit of additional mitigating controls.
C . Annualized loss expectancy (ALE) for the system.
D . Frequency of business impact.
Answer: C