A newly-appointed risk management director for the IT department at Company XYZ, a major
pharmaceutical manufacturer, needs to conduct a risk analysis regarding a new system which the
developers plan to bring on-line in three weeks. The director begins by reviewing the thorough and
well-written report from the independent contractor who performed a security assessment of the

system. The report details what seems to be a manageable volume of infrequently exploited
security vulnerabilities. The likelihood of a malicious attacker exploiting one of the vulnerabilities is
low; however, the director still has some reservations about approving the system because of
which of the following?

A.
The resulting impact of even one attack being realized might cripple the company financially.

B.
Government health care regulations for the pharmaceutical industry prevent the director from
approving a system with vulnerabilities.

C.
The director is new and is being rushed to approve a project before an adequate assessment
has been performed.

D.
The director should be uncomfortable accepting any security vulnerabilities and should find time
to correct them before the system is deployed.