The MAJOR advantage of the risk assessment approach over the baseline approach to information security
management is that it ensures:

A.
information assets are overprotected.

B.
a basic level of protection is applied regardless of asset value.

C.
appropriate levels of protection are applied to information assets.

D.
an equal proportion of resources are devoted to protecting all information assets.

Explanation:
Full risk assessment determines the level of protection most appropriate to a given level of risk, while the
baseline approach merely applies a standard set of protection regardless of risk. There is a cost advantage in
not overprotecting information. However, an even bigger advantage is making sure that no information assets
are over- or underprotected. The risk assessment approach will ensure an appropriate level of protection is
applied, commensurate with the level of risk and asset value and, therefore, considering asset value. The
baseline approach does not allow more resources to be directed toward the assets at greater risk, rather than
equally directing resources to all assets.