Evaluating an attack surface requires what actions?

A) Evaluating the probability that threats materialize
B) Creating a matrix for potential damage to systems
C) Creating a control methodology for mitigation of attack vectors
D) Gathering data about areas for entry, extraction, or vulnerability inside the internal environment