A security architect is seeking to outsource company server resources to a commercial cloud
service provider. The provider under consideration has a reputation for poorly controlling physical
access to datacenters and has been the victim of multiple social engineering attacks. The service
provider regularly assigns VMs from multiple clients to the same physical resources. When
conducting the final risk assessment which of the following should the security architect take into
consideration?

A.
The ability to implement user training programs for the purpose of educating internal staff about
the dangers of social engineering.

B.
The cost of resources required to relocate services in the event of resource exhaustion on a
particular VM.

C.
The likelihood a malicious user will obtain proprietary information by gaining local access to the
hypervisor platform.

D.
Annual loss expectancy resulting from social engineering attacks against the cloud service
provider affecting corporate network infrastructure.