Information security managers should use risk assessment techniques to:

A.
justify selection of risk mitigation strategies.

B.
maximize the return on investment (ROD.

C.
provide documentation for auditors and regulators.

D.
quantify risks that would otherwise be subjective.

Explanation:

Information security managers should use risk assessment techniques to justify and implement a
risk mitigation strategy as efficiently as possible. None of the other choices accomplishes that
task, although they are important components.